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Data  Mishaps  Drive 
Push  for  New  Rules 

Lawmakers  call  for  federal  mandates  on  IT 
security  and  privacy  in  wake  of  recent  breatfcs 


BY  JAIKUMAR  VI JAYAN 

Federal  lawmakers,  reacting 
sharply  to  recent  data  security 
breaches  at  several  large  com¬ 
panies,  are  proposing  a  mix  of 
legislation  that  could  impose 
new  compliance  burdens  on 
IT  managers  —  including  the 
need  to  certify  that  sensitive 
personal  data  is  protected. 

As  a  result,  companies  need 
to  review  their  information  se¬ 
curity  strategies  and  ensure 
that  they  have  adequate  tech¬ 
nology  and  procedural  mea¬ 
sures  in  place  for  safeguarding 
confidential  data,  responding 
to  incidents  and  monitoring 
compliance  with  corporate 
policies,  according  to  users, 
analysts  and  lawyers. 

“Any  company  out  there, 
whether  they’re  currently  reg¬ 
ulated  or  not,  needs  to  be  re¬ 
evaluating  their  security  and 
making  sure  they  know  what’s 
going  on,”  said  Kirk 
Nahra,  a  board  mem¬ 
ber  of  the  Internation¬ 
al  Association  of  Priv¬ 
acy  Professionals,  a 
York,  Maine-based  as¬ 
sociation  of  IT  securi¬ 
ty  and  privacy  workers 
that  has  members  from 


Any  company 
out  there  needs 
to  be  re-evaluating  their 
security  and  making 
sure  they  know  what’s 
going  on. 

.  BOARD  MEMBER, 
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OF  PRIVACY  PROFESSIONALS 


more  than  1,000  companies. 

“This  is  an  issue  that’s  hot 
and  heavy  in  Congress  right 
now,”  added  a  security  analyst 
at  a  large  financial  services 
firm  who  asked  that  he  not  be 
identified.  “Who  knows  what 
that  will  lead  to?” 

Those  kinds  of  concerns 
are  being  fueled  by  legislative 
proposals  such  as  one  detailed 
on  March  10  by  Sen.  Jon  Cor- 
zine  (D-N.J.),  who  said  he 
plans  to  file  a  bill  that  would 
lead  to  the  creation  of  federal 
data-protection  stan¬ 
dards  and  require 
CEOs  or  chief  com¬ 
pliance  officers  to 
personally  attest  that 
their  companies  com¬ 
ply  with  the  rules. 
Corzine’s  draft  leg- 
Data  Thefts,  page  57 


Bank  of  America's 
loss  of  tape 
cartridges  prods 
some  banks  to 
encrypt  data 
archived  on  tapes. 
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Tired  of  just  reacting 
to  attacks,  savvy  IT 
l  managers  are  going 
*  on  the  offensive  with 
m  new  tools  and  tech- 
^  niques  to  prevent 
^  security  disasters. 

^  Stories  begin 
m  on  page  35. 


ANIINF  Take  a  SANS  Institute 
UIILIIIL  quiz  to  evaluate  your 
security  preparedness:  QuickUnk  a558G 


Users  Turn  to  Operational 
Business  Intelligence  Tools 


Emerging  capability 
promises  real-time 
access  to  most  data 


BY  HEATHER  HAVENSTEIN 

To  keep  up  with  competitors, 
enterprises  increasingly  are 
demanding  operational  bus¬ 
iness  intelligence  —  analytics 
embedded  into  processes 
to  handle  exceptions  and 


make  real-time  decisions. 

Several  corporate  users  said 
last  week  that  they  are  imple¬ 
menting  such  techniques  as 
tools  emerge  from  key 
vendors  such  as  SAS 
Institute  Inc.,  Informa¬ 
tion  Builders  Inc.  and 
Cognos  Inc. 

Just  last  month, 

Briggs  &  Stratton 
Corp.,  a  Wauwatosa, 


Wis.-based  manufacturer  of 
lawn  mower  and  garden  tiller 
engines,  began  rolling  out 
portal  technology  from  the 
SAS  9  BI  tool  set  and  pairing 
it  with  SAS  analytical  applica¬ 
tions.  The  company  is  looking 
for  the  joint  system  to  provide 
its  employees  with  BI  infor¬ 
mation  embedded  in 
accounting,  production 
and  sales  processes. 

“It  is  such  a  hot  but¬ 
ton  for  us  right  now,” 
said  Grant  Felsing, 
decision-support  man- 
BI  Tools,  page  16 
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IBM  ThinkPad  R  Series 
(model  not  featured) 


GO  with  IBM  Think  Express  Program 

IBM  Think  Express  models  are  configured  and  priced 
with  small  to  medium-size  businesses  in  mind. 


IBM  rated  #1  in  tech  support  for  desktops 
and  notebooks  by  PC  Magazine  readers. 
PC  Magazine  17th  Annual  Reader 
Satisfaction  Survey  -  July  14,  2004 


"Availability:  All  offers  subject  to  availability.  IBM  reserves  the  right  to  alter  product  offerings  and  specifications  at  any  time,  without  notice.  IBM  is  not  responsible  for  photographic  or  typographic  errors.  'Pricing:  does  not  include  tax  or  shipping  and  is 
subject  to  change  without  notice.  Reseller  prices  may  vary.  Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features.  Price  may  include  applicable  discounts.  Warranty:  For  a  copy  of  applicable  product  warranties,  write  to:  Warranty 
Information.  P.O.  Box  12195,  RTP,  NC  27709.  Attn:  Dept  JDJA/B203.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services.  Footnotes:  (1)  Embedded  Security  Subsystem:  requires  software  download.  (2)  Mobile  Processor: 
Fewer  management  reduces  processor  speed  when  in  battery  mode.  (3)  Wireless  11a,  11b  and  11g:  based  on  IEEE  802.11a,  802.11b  and  802.1 1  g,  respectively.  An  adapter  with  lla/b,  1 1  b/g  or  lla/b/g  can  communicate  on  either  or  any  of  these  listed  formats 
respectively:  the  actual  connection  will  be  based  on  the  access  point  to  which  it  connects.  (4)  Included  software:  may  differ  from  its  retail  version  (if  available)  and  may  not  include  user  manuals  or  all  program  functionality.  License  agreements  may  apply.  (5) 
Memory:  For  PCs  without  a  separate  video  card,  memory  supports  both  system  and  video.  Accessible  system  memory  is  up  to  64MB  less  than  the  amount  stated,  depending  on  video  mode.  (6)  Hard  drive:  GB  =  billion  bytes.  Accessible  capacity  is  less;  up 
to  4GB  is  service  partition.  (8)  Limited  warranty:  Support  unrelated  to  a  warranty  issue  may  be  subject  to  additional  charges.  (9)  ServicePac  services:  are  available  for  machines  normally  used  for  business,  professional  or  trade  purposes,  rather  than 
personal,  family  or  household  purposes.  Service  period  begins  with  the  equipment  date  of  purchase.  Service  levels  are  response-time  objectives  and  are  not  guarantees.  If  the  machine  problem  turns  out  to  be  a  Customer  Replaceable  Unit  (CRU),  IBM  will  express  ship 
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TECHNOLOGY 


Put  a  solid  barrier  between  your 

wireless  PC  and  thieves.  Select  IBM  wireless 

ThinkPad®  notebooks,  like  the  ThinkPad  X40  featured  to  the  right,  offer 
an  added  layer  of  data  protection  —  a  vaultlike  combination  of  a  built-in 
security  chip  and  sophisticated  data  encryption  software]  In  fact,  it’s 
so  advanced,  it  actually  makes  data  unreadable  if  tampered  with. 
And  only  IBM  offers  PCs  with  this  level  of  security  as  a  standard  feature. 
Plus,  with  Intel®  Centrino™  Mobile  Technology  and  on-the-fly  folder 
encryption,  users  can  work  wherever  they  please,  knowing  that  their 
data  will  be  protected.  No  matter  who’s  lurking  around.  Instead 

of  a  welcome  mat. 

Embedded  Security  Subsystem.  Only  on  a  ThinkPad. 


Contact  your  IBM  Business  Partner  or  go  to 
ibm-com/shop/m558  to  locate  the  nearest  reseller. 


IBM  ThinkPad  G41 

Ultimate  Value 

Distinctive  IBM  Innovations: 

•  IBM  Rescue  and  Recovery™  -  One-button 
recovery  and  restore  solution 

•  Access  IBM  -  IBM  help  at  your  fingertips 

System  Features: 

•  Mobile  Intel®  Pentium®  4  Processor  532  (3.06GHz)2 
with  HT  Technology 

•  Microsoft  Windows  XP  Home  Edition4 

•  14.1"  XGA  TFT  display  (1024x768) 

•128MB  DDR  SDRAM5 

•  30GB  hard  drive6 
•CD-ROM 

•  ComfortSlant  keyboard 

•  EasyPivot  base 

•  1-yr  system/battery  limited  warranty8 


NavCode  288157U-M558 

MODEL  PRICED  AT:  $999* 

$36/mo  for  36  months 
SuccessLease  for  Small  Business'9 

ServicePac®  Service  Upgrade:9 
3-yr  Depot  Repair  #30L91 92  $132 


IBM  ThinkPad  X40 

Our  thinnest  and  lightest 

Distinctive  IBM  Innovations: 

•  IBM  Embedded  Security  Subsystem  2.0 

•  IBM  Rescue  and  Recovery™  - 
One-button  recovery  and  restore  solution 

System  Features: 

•  Intel®  Centrino™  Mobile  Technology 

•  Intel®  Pentiurrf  M  Processor  ULV  713(1. 10GHz) 

•  Intel®  PRO/Wireless  Network  Connection  802.1 1  b/g3 

•  Microsoft  Windows  XP  Professional 
•12.1”  XGA  TFT  display  (1024x768) 

•  256MB  DDR  SDRAM 

•  20GB  hard  drive 

•  Integrated  Gigabit  Ethernet  and  modem 

•  Legendary  IBM  full-size  keyboard'0 

•  Only  .94”  thin" 

•  2.7-lb  travel  weight'2 

•  1-yr  system/battery  limited  warranty8 


NavCode  2386A4U-M558 

THINK  EXPRESS  MODEL  PRICED  AT: 


$1,499* 


$54/mo  for  36  months 
SuccessLease  for  Small  Business 


the  part  to  you  for  quick  replacement.  Onsite  24x7x2-hour  service  is  not  available  in  all  locations.  For  ThinkPad  notebooks  requiring  LCD  or  other  component  replacement,  IBM  may  choose  to  perform  service  at  the  depot  repair  center.  Calls  must  be  received  by 
5pm  local  time  in  order  to  qualify  for  Next  Business  Day  service.  (10)  Full-size  keyboard:  As  defined  by  ISO/IEC  15412.  (11)  Thinness:  may  vary  at  certain  points  on  the  system.  (12)  Travel  weight:  includes  battery  and  optional  travel  bezel  instead  of 
standard  optical  drive  in  Ultrabay  bay,  if  applicable;  weight  may  vary  due  to  vendor  components,  manufacturing  process  and  options.  (19)  SuccessLease:  SuccessLease  program,  rates  and  terms  are  provided  by  third-party  financiers  approved  by  IBM  Global 
Financing  to  credit-qualified  business  customers  installing  in  the  U.S.  Featured  monthly  lease  payments  based  on  prespecified  end-of-lease  purchase  option;  documentation  fee  and  first  month's  payment  due  at  lease  signing,  taxes  are  additional  Options 
cannot  be  leased  separately.  IBM  and  IBM  Global  Financing  reserve  the  right  to  alter  product  offerings,  specifications  or  financing  terms  at  any  time,  without  notice  Trademarks:  The  following  are  trademarks  or  registered  trademarks  of  IBM  Corporation:  IBM 
the  IBM  logo,  Rapid  Restore,  Rescue  and  Recovery,  ThinkPad,  Ultrabay,  UltraConnect  and  UltraNav.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation.  Intel.  Intel  Xeon.  Intel  Inside.  Intel  Inside  logo,  Intel  Centrino.  Intel  Centrino  logo, 
Intel  SpeedStep  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  other  compart 
©2005  IBM  Corporation.  All  rights  reserved.  Visit  www.ibm.com/pc/satecompuling  periodically  for  the  latest  information  on  safe  and  effective  computing. 
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Can  your 
network 
transform  your 
business? 


EVOLVE  AT  WILL.  Can  your  network  turn  a  tight  race  into  a  commanding  lead?  Can  it 
move  quickly  into  global  markets,  help  drive  down  costs  and  be  nimble  in  the  face  of 
changing  competition?  Can  it  offer  both  ultra-flexible  IP-VPNs  and  business  continuity 
services?  Can  it  deliver  innovative  security  and  IP  management  expertise?  With 
networking  solutions  from  AT&T,  you  can  integrate  your  entire  value  chain  into  a  single, 
globally  networked  community.  So  not  only  will  your  enterprise  be  able  to  reach  the 
entire  world — it  might  even  be  capable  of  changing  it.  CAN  YOUR  NETWORK  DO  THIS? 


AT&T 

The  world's  networking  company 


To  find  out  how  AT&T’s  networking  solutions 
can  help  evolve  the  way  you  do  business,  go  to: 

att.com/transform 


©2005  AT&T 
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How  to  Sponsor  a  Project 

In  the  Management  section:  CIO 

Michael  H.  Hugos  provides  a  crash 
course  for  your  business  sponsor 
on  all  the  right  questions  to  ask 
about  IT  projects.  Page  29 
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6  IBM’s  purchase  of  Ascential 
Software  has  users  hoping  for 
a  strong  investment  in  its  inte¬ 
gration  technology. 

7  Novell’s  CTO  discloses  that  he 
plans  to  leave  the  company, 
but  most  users  are  unfazed. 

7  H-1B  fraud  investigations  are 

expected  to  pick  up  as  a  por¬ 
tion  of  application  fees  are  ear¬ 
marked  to  fund  such  efforts. 

10  Recent  data  thefts  prompt  IT 
organizations  to  consider  al¬ 
ternative  protective  measures. 

10  Wireless  technology  has 

made  strides  in  aiding  emer¬ 
gency  responders,  but  a  lack 
of  interoperability  remains  a 
huge  shortcoming. 

12  Business  process  manage¬ 
ment  gains  popularity  among 
financial  services  firms  look¬ 
ing  to  boost  sagging  profits. 

14  Global  Dispatches:  The  U.K.  is 
expected  to  shelve  legislation 
for  a  national  identity  card 
program. 


8  On  the  Mark:  Mark  Hall  re¬ 
ports  that  vendors  are  hoping 
SIP  will  give  IT  managers 
more  confidence  about  the 
security  of  VoIP  products. 

20  Don  Tennant  attends  cere¬ 
monies  for  award-winning 
IT  projects  and  award¬ 
winning  IT  journalism  and 
reflects  on  the  challenges 
both  industries  face. 

20  Virginia  Robbins  knows  that 
IT  workers  are  professional, 
but  she  also  knows  they’re 
often  perceived  otherwise. 

21  Michael  Gartenberg  breaks  it 
down  for  IT  decision-makers 
buying  mobile  devices. 

26  Robert  L.  Mitchell  says  enter¬ 
prises  need  to  see  the  broader 
context  of  desktop  search 
tools  before  integrating  them 
into  the  IT  infrastructure. 

32  Barbara  Gomolski  wonders 
how  much  of  a  CIO’s  destiny 
is  shaped  by  his  performance 
and  how  much  is  predeter¬ 
mined  when  he  takes  the  job. 
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©  QuickLink  a1510 
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Knowledge  Centers 

O  QuickLink  a2570 


Computerworld  Store 
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What’s  a 
QuickLink? 

©  On  some 
pages  in  this  issue, 
you'll  see  a  Quick¬ 
Link  code  pointing 
to  additional,  relat¬ 
ed  content  on  our 
Web  site.  Just  en¬ 
ter  that  code  into 
our  QuickLink  box, 
which  you'll  see  at 
the  top  of  each 
page  on  our  site. 


58  Frankly  Speaking:  Frank 
Hayes  acknowledges  that  data 
can  easily  leak  out  of  an 
e-health  system,  but  only  if 
safeguards  are  full  of  holes. 
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Video  E-mail  Goes  Corporate 

In  the  Technology  section:  As  the 

technology  improves,  video  e-mail  is 
finding  its  way  into  large  companies 
as  a  tool  for  CRM,  corporate  communi¬ 
cations  and  training.  Page  23 


42  Erecting  Barriers. 

Intrusion-preven¬ 
tion  systems  don’t 
just  tell  you  there 
may  be  an  attack  — 
they  block  it  before 
it  happens.  But 
false  positives 
remain  a  big  prob¬ 
lem.  Plus,  five  tips 
for  selecting  an  IPS. 


46  Supersmart  Security. 

Fresh  from  the  lab,  these 

intelligent  security 
systems  are  de¬ 
signed  to  recog¬ 
nize  new  threats 
and  limit  damage. 

50  Opinion:  Most 
companies  are  over¬ 
looking  their  biggest  security  hole 
—  their  own  people,  says  colum¬ 
nist  Mark  Hall. 


36  A  Good 
Offense.  Tired 
of  being  under 
attack,  IT  execu¬ 
tives  like  Eric 
Litt,  chief  infor¬ 
mation  security 
officer  at  GM,  are  taking  preven¬ 
tive  steps  to  head  off  secu¬ 
rity  breaches. 


40  Baked-ln  Security. 

Standardized  efforts 
to  address  security  in¬ 
side  the  perimeter  can 
cut  enterprise  configu¬ 
ration  management  and 
incident-response  costs. 


Proactive  Security 

EDITOR’S  NOTE:  Learn  how  to 
build  an  IT  security  organi¬ 
zation  that  can  identify 
problems  before  they  hap¬ 
pen  and  block 
attacks  before 
they  do  damage. 
PACKAGE  BEGINS  ON  PAGE  35. 
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Data  Points.  Down¬ 
load  this  newest  col¬ 
lection  of  security- 
related  PowerPoint 
slides  for  your  next 
presentation. 

O  QuickLink  a5570 


Opinion:  Five  tips  for 
engaging  the  entire 
organization  in  the 
security  process,  by 
Diana  Kelly,  executive 
security  adviser  at 
Computer  Associates. 
©  QuickLink  52585 


15  Tips  for  Respon¬ 
sible  Computing. 

The  Cutter  Consor¬ 
tium  Business  Tech¬ 
nology  Council  offers 
strategies  for  reduc¬ 
ing  security  risks. 

0  QuickLink  52856 
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Microsoft  to  Set 
VS  2005  Pricing 

Microsoft  Corp.  this  week  will  de¬ 
tail  pricing  for  its  Visual  Studio 
application  development  tool,  due 
to  ship  in  the  second  half  of  the 
year.  Licenses  range  from  $49  for 
the  Express  Edition  to  $799  for 
the  Professional  Edition.  Profes¬ 
sional  Edition  costs  $2,499  with  a 
premium  MSDN  license,  and  vol¬ 
ume  licenses  for  the  Team  System 
start  at  $3,191. 


Oracle,  SAP  Keep 
Battling  for  Retek 

Oracle  Corp.  increased  its  bid  for 
Retek  Inc.  to  $630  million  late 
last  week,  again  outbidding  rival 
SAP  AG  in  the  tug  of  war  for  the 
retail  software  maker.  SAP  had 
upped  its  bid  to  $616  million  in 
response  to  Oracle’s  surprise  bid 
for  Retek  a  week  earlier.  Retek’s 
board  had  accepted  SAP’s  second 
bid  prior  to  Oracle’s  latest  offer. 


Oracle  CFO  Moves 
To  BearingPoint 

Oracle  Corp.’s  chief  financial  offi¬ 
cer,  Harry  You,  has  disclosed  plans 
to  leave  the  vendor  after  eight 
months  on  the  job.  You  will  become 
CEO  of  services  company  Bearing- 
Point  Inc.,  replacing  interim  CEO 
Rod  McGeary.  You  had  replaced 
Jeff  Henley  in  July  when  Henley 
became  chairman  of  Oracle’s 
board.  Co-president  Safra  Catz 
will  become  acting  Oracle  CFO. 


CA  World  Is  Back 
On  the  Calendar 

After  considering  canceling  this 
year’s  CA  World  user  conference 
amid  management  changes  last 
year,  Computer  Associates  Inter¬ 
national  Inc.  has  put  the  show 
back  on  its  calendar,  for  Nov.  13- 
17  in  Las  Vegas.  The  last  show 
was  held  in  May  2004,  three 
weeks  after  interim  CEO  Ken 
Cron  replaced  the  scandal-tainted 
Sanjay  Kumar.  The  bid  to  cancel 
the  show  was  halted  late  last  year 
by  new  CEO  John  Swainson. 
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IBM  Pays  $1.1B  to  Acquire 
Data  Integration  App  Vendor 


With  Ascential  deal,  it  gets  Informix 
technology  it  passed  over  in  2001 


BY  MARC  L.  SONGINI 

bm’S  $1.1  billion  purchase 
of  Ascential  Software 
Corp.  has  users  hoping 
that  IBM  will  continue 
investing  in  Ascential’s  data 
integration  and  management 
technology. 

Ironically,  Ascential  was 
created  in  the  aftermath  of 
IBM’s  2001  acquisition  of  the 
Informix  database  from  the 
former  Informix  Corp.  IBM 
also  bought  the  Informix 
name,  so  the  remainder  of  the 
firm  —  consisting  mostly  of 
the  data  integration  technol¬ 
ogy  —  was  renamed  Ascential. 

IBM  said  it  hopes  to  use 
the  Ascential  technology  to 
extend  its  existing  WebSphere 
data  integration  offerings.  The 
joint  portfolio  will  make  it  easi¬ 
er  for  customers  to  integrate, 
format  and  manage  informa¬ 
tion  for  business  intelligence, 
performance  management  and 
other  operations,  the  company 
claimed. 

Westboro,  Mass.-based 
Ascential  will  be  folded  into 
the  IBM  information  manage¬ 


ment  software  group,  headed 
by  general  manager  Janet  Per- 
na.  IBM  said  management 
moves  related  to  the  acquisi¬ 
tion  will  be  disclosed  once  it’s 
completed.  The  deal  is  expect¬ 
ed  to  close  by  midyear. 

Wait-and-See  Mode 

A  couple  of  Ascential  users 
said  they  aren’t  yet  sure  how 
the  acquisition  will  affect 
them. 

At  the  very  least,  IBM  brings 
great  size  and  breadth  to  the 
smaller  company,  whose  prod¬ 
uct  portfolio  will  also  likely  be 
enriched  by  IBM’s  technology, 
said  Danny  Siegel,  senior  man¬ 
ager  in  the  finance  business 
technology  group  of  Pfizer 
Global  Pharmaceuticals. 

“This  couldn’t  be  anything 
but  a  plus  from  a  client  per¬ 
spective,”  he  said. 

However,  Siegel  also  noted 
that  he  wants  IBM  to  clarify 
its  plans  for  continuing  devel¬ 
opment  of  the  Ascential  prod¬ 
uct  line  and  to  assure  cus¬ 
tomers  that  the  move  is  in¬ 
deed  a  “true  strategic  acquisi¬ 


tion.”  The  Pfizer  unit  uses  As¬ 
cential’s  DataStage  7.5  to  en¬ 
able  data  integration. 

Another  Ascential  customer, 
Stephen  Zander,  vice  president 
of  enterprise  business  intelli¬ 
gence  services  at  health  care 
provider  McKesson  Corp.  in 
San  Francisco,  added,  “I  think 
we  need  to  see  some  product 
direction  announcements  in 
the  next  90  days  before  I’ll  be 
comfortable.” 

He  noted  there  is  overlap  in 
some  products,  but  none  that 
will  likely  affect  Ascential’s 
core  customers. 

Although  IBM  left  Ascential 
on  the  table  in  its  2001  acquisi¬ 
tion  of  Informix,  the  two  com¬ 
panies  formed  a  strong  part¬ 
nership  and  today  share  some 
550  joint  customers. 

In  an  e-mail,  an  IBM  spokes¬ 
woman  explained  that  in  2001, 
IBM  was  focused  primarily 
on  buying  a  database  and  its 
installed  base.  Since  then, 

IBM  has  started  a  major  ini¬ 
tiative  around  information 
integration. 

“They  are  a  fit  for  us  today 
because  now  Ascential  Soft¬ 
ware  has  far  more  customers 
and  offers  richer  capabilities 
for  customers  at  a  time  when 


AT  A  GLANCE 


IBM/Ascential 

PRICE:  $1.1  billion 


WHAT  IT  MEANS:  IBM  gets 
access  to  Ascential’s  data  inte¬ 
gration.  cleansing,  manage¬ 
ment  and  formatting  tools. 

WHO’S  IN  CHARGE:  Ascential 
will  become  a  business  unit  in 
IBM’s  information  management 
software  group  under  general 
manager  Janet  Pema. 

WHEN  THE  DEAL  CLOSES:  In 

the  second  quarter  of  this  year. 


we  are  focused  on  providing 
integration  middleware,”  she 
said. 

Why  IBM  didn’t  buy  out 
Ascential  in  2001  isn’t  clear, 
but  apparently  IBM’s  manage¬ 
ment  believed  that  integration 
could  be  achieved  by  just  en¬ 
hancing  the  Web  server  or 
database  management  system, 
suggested  Curt  Monash,  an 
analyst  at  Acton,  Mass.-based 
consultancy  Monash  Informa¬ 
tion  Services  and  a  Computer- 
world  columnist.  “Or  maybe 
they  just  couldn’t  agree  on  a 
price,”  he  said.  ©  53212 


IBM  Expects  Bl  Boost  From  Deal 


IBM’3  ACQUISITION  of  Ascen¬ 
tial  Software  is  part  of  the  com¬ 
pany’s  new  focus  on  positioning 
its  DB2  database  for  data  ware¬ 
housing  as  well  as  maintaining 
its  traditional  stronghold  as  a 
transactional  database. 

IBM  hopes  to  boost  its  busi¬ 
ness  intelligence  market  share 
by  utilizing  Ascential’s  extract 
transform  and  load  (ETL)  tools, 
which  are  often  used  today  in  Bl 
deployments  because  ETL  is  the 
preferred  integration  method  for 
data  warehousing  projects. 

Ascential's  integration  suite 
will  complement  IBM’s  Web¬ 


Sphere  Information  Integrator 
products,  according  to  IBM.  As¬ 
cential  technology  can  be  used 
to  populate  and  maintain  data 
warehouses  for  strategic  analy¬ 
sis  while  tapping  IBM’s  Web¬ 
Sphere  integration  products  to 
correlate  real-time  events  to  in¬ 
formation  in  the  data  warehouse, 
said  Janet  Perna,  general  man¬ 
ager  of  IBM’s  information  man¬ 
agement  software  group. 

The  Ascential  acquisition  is 
part  of  IBM’s  plan  to  snag  a 
piece  of  the  growing  data  ware¬ 
housing  and  Bl  market,  with 
more  enterprises  demanding  ac¬ 


cess  to  performance  data  to 
make  tactical  decisions,  said 
Philip  Russom,  an  analyst  at  For¬ 
rester  Research  Inc. 

“Since  data  warehousing  is 
growing  faster  than  transactional 
databases ...  it  makes  sense  for 
them  to  pursue  that  market,”  he 
said.  “The  Ascential  acquisition 
will  give  them  a  high-quality  ETL 
tool  for  data  warehousing.” 

IBM  in  the  second  quarter  of 
this  year  plans  to  release  a  new 
Data  Warehouse  Edition  that 
integrates  its  DB2  database, 

DB2  Cube  Views  metadata 
bridge,  WebSphere  data  integra¬ 
tion  tool  and  its  data  mining  ap¬ 
plication.  IBM  has  also  released 


a  Bl  package  tailored  for  law  en¬ 
forcement  and  is  working  on 
packages  aimed  at  the  banking 
and  insurance  sectors. 

Klaus  Mikkelsen,  global  devel¬ 
opment  leader  at  Ascential  user 
Owens  Corning  in  Toledo,  Ohio, 
said  the  deal  could  have  a  positive 
long-term  impact  for  his  company, 
given  IBM’s  larger  research-and- 
development  resources. 

“My  biggest  concern  is 
around  support,  which  tradition¬ 
ally  has  been  outstanding  for 
Ascential,"  Mikkelsen  said.  “I 
would  watch  any  changes  in 
the  support  structure  with  some 
trepidation." 

-  Heather  Havenstein 
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Sets  Exit  Plan  on  Eve  of  User  Conference 


Novell  CTO 

BY  CAROL  SLIWA 

Just  days  before  this  week’s 
kickoff  of  Novell  Inc.’s  annual 
BrainShare  user  conference, 
its  chief  technology  officer 
disclosed  plans  to  leave  the 
company  at  the  end  of  the 
month  to  become  the  general 
manager  of  a  software  busi¬ 
ness  unit  at  another  IT  vendor. 

The  planned  departure  of 
CTO  Alan  Nugent  comes  on 
the  heels  of  former  No.  2  exec¬ 
utive  Chris  Stone’s  surprise 
exit  last  November  [QuickLink 
50595].  But  several  Novell 
users  said  they  were  unfazed 
by  the  news  that  Nugent  is  fol¬ 
lowing  Stone,  whose  title  was 
vice  chairman,  out  the  door. 

“So  the  president  and  CTO 
have  come  and  gone.  This  is 
just  another  one,”  said  Jay 
Hall,  unit  manager  of  server 
engineering  at  Blue  Cross  and 
Blue  Shield  of  Alabama  in 


Birmingham.  “In  our  opinion, 
they  still  have  the  best  tech¬ 
nology  around,  and  as  long  as 
we  believe  that’s  true,  we’re 
going  to  stay  with  them.” 

Hall  said  he  supports  Nov¬ 
ell’s  Linux  strategy  as  “the 
only  chance  they  have  to  get 
back  in  the  game.”  His  com¬ 
pany  already  is  testing  the 
Open  Enterprise  Server  soft¬ 
ware  that  Novell  shipped  ear¬ 
lier  this  month.  OES  supports 
file,  print,  directory  and  other 
computing  services  on  both 
NetWare  and  SUSE  Linux. 

“All  of  those  upper  manage¬ 
ment  positions  seem  to  be  a 
revolving  door,”  said  Brad 
Staupp,  a  senior  support  ana¬ 
lyst  at  NetWare  user  Johnson 
County  Community  College 
in  Overland  Park,  Kan.  “But 
I’ve  been  a  beta  tester  for  six 
years,  and  the  majority  of 
the  people  that  write  the  code 


HAII  of  those 
upper  man¬ 
agement  positions 
[at  Novell]  seem 
to  be  a  revolving 
door.  But . . .  the 
majority  of  the 
people  that  write 
the  code  and  do  the 
day-to-day  work, 
they’re  still  there. 

BRAD  STAUPP, JOHNSON  COUNTY 
COMMUNITY  COLLEGE 

and  do  the  day-to-day  work, 
they’re  still  there.” 

Novell  hasn’t  said  whether 
it  plans  to  fill  Nugent’s  or 
Stone’s  positions,  noted  com¬ 
pany  spokesman  Bruce  Lowry. 


Nugent,  who  said  he  joined 
Novell  at  Stone’s  behest  in 
June  2002,  stressed  that  he 
was  happy  at  the  company  and 
that  his  decision  has  nothing 
to  do  with  Stone’s  exit.  He  said 
the  new  job  represents  a  “fab¬ 
ulous  opportunity”  to  oversee 
a  business  unit  that  is  “larger 
than  Novell.”  Nugent  said  he 
was  approached  by  the  com¬ 
pany,  which  he  declined  to 
identify,  and  added  that  he 
will  remain  on  Novell’s  pay¬ 
roll  until  month’s  end. 

Jon  Strickland,  president 
of  the  Triangle  Novell  Users’ 
Group  in  Raleigh,  N.C.,  said 
Stone’s  departure  sparked  dis¬ 
cussion  at  a  member  meeting. 
But  he  views  Nugent’s  depar¬ 
ture  as  “par  for  the  course”  at 
Novell.  “As  long  as  they  keep 
their  general  focus  —  being 
dedicated  to  Linux  and  open- 
source  as  well  as  supporting 


their  NetWare  base  —  I  don’t 
think  any  customers  should 
show  any  concern,”  said 
Strickland,  who  is  a  senior 
network  engineer  at  Alpha¬ 
numeric  Systems  Inc.,  a  Novell 
business  partner. 

Not  everyone  shares  that 
view,  though.  A  Computer  Sci¬ 
ences  Corp.  employee  who 
works  on  a  contract  basis  at  a 
large  government  agency  and 
asked  not  to  be  identified  said 
the  management  changes  are 
“just  another  indicator  that 
Novell  is  in  trouble.” 

The  agency  last  November 
started  to  replace  NetWare 
with  Microsoft  Corp.’s  Win¬ 
dows  Server,  partly  because  of 
concerns  about  Novell’s  long¬ 
term  direction,  according  to 
the  contractor.  “And  the  sad 
thing  is,  they  have  a  great 
product,”  he  said.  “I  would 
much  rather  be  on  NetWare 
servers  and  a  NetWare  direc¬ 
tory  than  [on]  Microsoft.” 

©  53251 


H-1B  Fraud  Investigations 
Are  Expected  to  Increase 


Higher  application 
fee  earmarks 
money  for  probes 

BY  PATRICK  THIBODEAU 

Companies  that  hire  H-1B  visa 
holders  may  soon  face  a 
greater  risk  of  being  investi¬ 
gated  for  their  treatment  of 
those  workers  because  of 
changes  in  the  law  that  are 
due  to  take  effect  this  month 
and  additional  funding  for 
enforcement  by  the  U.S.  De¬ 
partment  of  Labor. 

For  now,  the  number  of  in¬ 
vestigations  into  H-1B  abuses 
is  small.  According  to  Labor 
Department  figures,  agency 
officials  conducted  49  investi¬ 
gations  into  alleged  H-1B 
abuses  from  the  beginning  of 
the  government’s  current  fis¬ 
cal  year  last  October  through 
Jan.  31.  In  comparison,  there 
were  142  and  118  investigations 
during  the  entire  2003  and 
2004  fiscal  years,  respectively. 

When  Congress  approved 
the  Visa  Reform  Act  of  2004 


in  November,  it  increased  the 
H-1B  application  fee  by  $2,000 
and  earmarked  $500  of  each 
payment  for  antifraud  efforts. 
Immigration  attorneys  said 
last  week  that  they  expect  the 
Labor  Department  to  increase 
its  scrutiny  of  the  use  of  H-lBs 
after  the  government  begins 
collecting  the  new  fee. 

“We  are  going  to  see  more 
investigations,  and  not  only 
because  there  is  more  money 
allocated  for  the  purpose,” 
said  Irina  Plumlee,  a  lawyer  at 
Gardere  Wynne  Sewell  LLP  in 
Dallas.  She  added  that  height¬ 
ened  security  measures  and 


H-1B  Investigations 

Who  conducts  them?  Offi¬ 
cials  from  the  Labor  Depart¬ 
ment's  Wage  and  Hour  Division. 

Penalties:  In  most  cases,  they 
involve  payment  of  back  wages. 
But  civil  penalties  of  $1,000  to 
S35.000  can  be  assessed  per 
violation,  especially  if  the  viola¬ 
tion  was  part  of  a  move  to  dis¬ 
place  a  U.S.  worker. 


the  political  climate  in  Con¬ 
gress  are  also  factors. 

Frida  Glucoft,  a  partner  at 
Mitchell  Silberberg  &  Knupp 
LLP  in  Los  Angeles,  said  the 
number  of  investigations  over 
the  past  few  years  seems  low, 
“but  I  think  we  are  going  to  be 
seeing  more  audits.” 

The  message  for  IT  man¬ 
agers  who  use  H-1B  workers  is 
to  ensure  that  all  of  the  pro¬ 
gram’s  rules  are  followed  to 
the  letter,  the  attorneys  said. 

Investigations  are  typically 
triggered  by  complaints  from 
H-1B  holders.  But  the  govern¬ 
ment  can  also  conduct  ran¬ 
dom  audits  or  launch  investi¬ 
gations  based  on  information 
from  third-party  sources.  A 
typical  remedy  involves  pay¬ 
ment  of  back  wages  by  em¬ 
ployers;  for  example,  more 
than  $2  million  was  paid  to 
workers  in  fiscal  2003. 

In  addition  to  the  antifraud 
funding,  the  new  law  gives 
federal  officials  more  grounds 
on  which  to  investigate  com¬ 
panies,  such  as  checking  com¬ 
pliance  with  a  modified  wage- 
rate  system  that  also  is  due  to 
take  effect  this  month.  That 
system  will  allow  for  greater 
variances  in  pay  to  visa  holders. 


The  government  initially 
capped  the  number  of  H-1B 
visas  available  for  this  fiscal 
year  at  65,000,  a  limit  that  was 
reached  on  Oct.  1  —  the  first 
day  of  the  fiscal  year.  An  addi¬ 
tional  20,000  visas  were  sup¬ 
posed  to  become  available  on 
March  8  for  foreign  workers 
who  hold  master’s  or  Ph.D.  de¬ 
grees  from  U.S.  universities, 
but  that  process  has  been  de¬ 
layed  pending  publication  of 
the  rules  governing  the  visas 
in  the  Federal  Register. 

Robert  Webber,  an  immigra¬ 
tion  attorney  in  Edina,  Minn., 
said  the  handling  of  the  new 
law  by  the  U.S.  Citizenship 
and  Immigration  Services 
(USCIS)  agency  has  been  an 
“absolute  disaster.”  The 
agency  “has  refused  to  accept 
filings  by  employers  for  the 
new  H-1B  [visas]  and,  in  the 
process,  has  created  complete 
confusion,”  Webber  said. 

The  confusion  stems,  in 
part,  from  a  recent  USCIS 
statement  saying  that  the  visas 
would  be  available  to  anyone, 
not  just  workers  with  ad¬ 
vanced  degrees.  A  spokesman 
for  the  agency  said  that  until 
the  rules  are  published,  the 
exact  requirements  won’t  be 


known.  But  he  noted  that  the 
measure  passed  by  Congress 
did  create  an  exemption  for 
20,000  advanced-degree  hold¬ 
ers.  ©  53254 


Corrections 

The  story  in  last  week’s  News 
section  about  the  bidding  war  be¬ 
tween  SAP  AG  and  Oracle  Corp. 
over  Retek  Inc.  misstated  the 
purchase  prices  that  were  being 
offered  by  both  SAP  and  Oracle. 
A  corrected  version  of  the  story 
can  be  read  on  our  Web  site  at 
QuickLink  53136. 

A  story  in  the  March  7  News  sec¬ 
tion  (“Tape  Mishap  Prompts  Calls 
for  Disk  Backups”)  included  an  in¬ 
complete  title  for  Time  Warner 
Cable  executive  Bo  Coughiin.  He 
is  vice  president  of  the  Raleigh 
(N.C.)  Division  at  Time  Warner 
Cable  Commercial  Services. 

The  images  that  accompanied  a 
March  7  story  about  the  planned 
Freedom  Tower  in  New  York 
(“Project  at  World  Trade  Center 
Site  Puts  Advanced  Design  Tools 
to  Test”)  were  provided  by  archi¬ 
tect  Skidmore,  Owings  &  Merrill 
LLP.  But  they  were  rendered  by 
New  York-based  dbox  inc. 
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EC  OKs  Sale  of 
ContentGuard 

The  European  Commission  has 
given  Microsoft  Corp.,  Time 
Warner  Inc.  and  Thomson  SA  the 
green  light  to  close  their  joint  ac¬ 
quisition  of  digital  rights  man¬ 
agement  company  ContentGuard 
Inc.  in  Bethesda,  Md.  The  EC  ex¬ 
pressed  concern  last  year  that 
approving  an  attempt  by  Micro¬ 
soft  and  Time  Warner  to  buy 
ContentGuard  would  let  the  firms 
gain  control  of  the  DRM  market. 
The  EC  approved  the  deal  when 
Thomson  was  made  a  partner. 


WebMD  Buys 
Health  Care  Tools 

WebMD  Corp.  in  Elmwood  Park, 
N.J.,  has  acquired  HealthShare 
Technology  Inc.,  a  maker  of  health 
care  decision-support  systems 
and  a  provider  of  Web-based  tools 
for  hospital  quality  comparison.  It 
paid  $31  million  in  cash  and  will 
pay  an  additional  $5  million  if  fi¬ 
nancial  milestones  are  achieved 
during  this  calendar  year. 


Beta  Begins  for 
Flagship  SCO  Unix 

The  SCO  Group  Inc.  said  its 
OpenServer  6  flagship  Unix  op¬ 
erating  system  has  entered  for¬ 
mal  beta  testing  and  is  expected 
to  ship  in  May.  The  product, 
code-named  Legend,  is  part  of  a 
multiyear,  multimillion-dollar  de¬ 
velopment  effort.  The  software  is 
said  to  offer  performance  and 
security  enhancements  and  have 
the  ability  to  integrate  with  pop¬ 
ular  open-source  technologies. 


Verizon  Buys  23 
Spectrum  Licenses 

Verizon  Wireless  will  pay  $102.5 
million  to  acquire  23  spectrum 
licenses  and  other  assets  from 
Leap  Wireless  International  Inc. 
The  deal,  expected  to  close  by 
midyear,  will  allow  Verizon  to  ex¬ 
pand  its  network  into  new  U.S. 
markets  while  increasing  its 
capacity  in  existing  markets. 
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SIP  Tips  VoIP 
Into  Secure . . . 


. . .  territory.  Or  so  hope  vendors  hawking  voice-over- 
IP  products  and  services.  Most  suppliers  of  VoIP 
technology  acknowledge  the  perception  that  it  has 
security  holes.  But  many  feel  that  the  Session  Ini¬ 
tiation  Protocol  (SIP),  currently  winding  its  way 


through  the  Internet 
Engineering  Task 
Force’s  standards 
process,  can  help  put 
IT  managers’  minds  at 
ease.  Kevin  Fecher, 

CEO  of  OpenAir 
Technologies  Inc.  in 
Reston,  Va.,  said  he 
thinks  that  VoIP’s  se¬ 
curity  problems  “are 
overblown.”  But,  he 
acknowledges,  you  need  to 
plan  and  deploy  your  VoIP 
network  very  carefully  to  en¬ 
sure  that  it’s  secure.  Fecher, 
whose  company  installs  VoIP 
systems  for  businesses,  says 
the  majority  of  his  customers 
currently  use  the  H323  proto¬ 
col,  which 
is  far  more 
complex  to 
manage  than 
SIP  is.  But 
SIP  is  gaining 
ground,  he 
adds. 

SIP’s 

virtues  in¬ 
clude  simple 
administra¬ 
tion  and  the 


ability  to  handle  any 
media,  says  Thom 
O’Connor,  a  solutions 
architect  at  Stalker 
Software  Inc.,  a  mes¬ 
saging  technology 
vendor  in  Mill  Valley, 
Calif.  “Once  you  es¬ 
tablish  a  connection, 
you  can  do  anything 
over  it,”  he  says, 
pointing  to  uses  such 
as  instant  messaging,  voice 
communications  and  e-mail. 
SIP  also  authenticates  end 
users  to  ensure,  for  example, 
that  callers  or  IMers  are  who 
they  say  they  are.  O’Connor 
says  that  with  an  IP  infra¬ 
structure,  a  unified  messag¬ 
ing  strategy  (“What  we’ve  all 
been  talking  about  for  10 
years”)  is  finally  possible. 

John  Todd,  chief  technolo¬ 
gy  officer  at  VoIP  Inc.  in  Fort 
Lauderdale,  Fla.,  argues  that 
VoIP  is  already  secure  and 
that  there’s  no  threat  of  some¬ 
one  tapping  into  your  IP 
phone  network.  But,  he  con¬ 
cedes,  vendors  “are  all  wor¬ 
ried  about  interception”  of 
calls  at  an  Internet  service 


O'CONNOR: 

Unified 
messaging  is 
finally  at  hand. 


provider’s  network 
hub.  That’s  the  only 
place  where  calls  can 
be  snooped,  he  says. 

Partisan  election 
tool  becomes . . . 

. . .  independent  mar¬ 
keting  product.  The 

technology  that  was 
behind  the  Democratic  Par¬ 
ty’s  record  $185  million  fund¬ 
raising  effort  during  last 
year’s  political  campaign  is 
leaving  the  donkey’s  tent  for  a 
broader  audience.  According 
to  Juan  Proano,  president  of 
New  York-based  Plus  Three 
LP,  his  company’s  Arcos  4.0 
integrated  stack  of  open- 
source  Web,  database  and 
messaging  technologies  will 
become  available  this  week  to 
more  than  liberal  politicians. 
Arcos  includes  tools  to  con¬ 
duct  and  manage  massive 
e-mail  campaigns,  and  Pro¬ 
ano  says  the  new  release  im¬ 
proves  workflow  processes 
and  boosts  performance  to 
handle  spikes  in  Web  traffic. 
The  software  is  free,  of 
course  —  but  Plus  Three 
charges  between  $150,000 
and  $300,000  for  setup  and 
customization.  Acknowledg¬ 
ing  that  his  side  lost 
last  fall’s  presidential 
election,  Proano 
nonetheless  defends 
Arcos.  “We  like  to 
think  that  the  tech¬ 
nology  held  us  close,” 
he  says.  Proano  ex¬ 
pects  the  primary 
users  of  the  software 
will  be  nonprofit  or¬ 
ganizations,  but  he 
says  companies  with  large- 
scale  e-mail  needs  can  also 
benefit.  He  adds  that  Plus 
Three  might  consider  selling 
its  services  to  Republicans 
“on  a  case-by-case  basis.” 

Stop  political 
(and  other)  spam . . . 

. . .  from  reaching  your  end 
users.  Dan  Wallace,  vice  pres¬ 
ident  of  marketing  at  Digi- 
Portal  Software  Inc.  in  San¬ 


ford,  Fla.,  says  his 
company’s  release  of 
ChoiceMail  Enterprise 
3.0  next  week  “offers 
an  end  to  the  spam 
arms  race.”  New  fea¬ 
tures  include  global 
policies  that  can 
override  the  antispam 
rules  of  end  users.  You 
can  also  use  ChoiceMail’s  ad¬ 
ministration  console  to  block 
the  IP  addresses  of  spammers 
instead  of  doing  that  at  your 
Firewall  —  which  is  trickier  to 
pull  off,  Wallace  claims.  The 
software  costs  $65  per  user. 

Meanwhile,  Postini  Inc.  has 
taken  pity  on  small  and  mid¬ 
size  businesses  that  are  del¬ 
uged  with  spam.  Redwood 
City,  Calif.-based  Postini  now 
offers  its  antispam  service  to 
companies  with  modest  inter¬ 
nal  IT  support.  According  to 
Andrew  Lochart,  director  of 
product  marketing,  Postini 
Small  Business  Edition  sim¬ 
plifies  the  battle  against 
spam.  For  example,  he  says, 
the  configuration  process  for 
Postini’s  Enterprise  Edition 
takes  15  steps,  whereas  the 
new  release  requires  just  two. 
It  starts  at  $25  per  user  annu¬ 
ally  and  is  available  today. 

Des  Cahill,  CEO  of 
Habeas  Inc.  in  Moun¬ 
tain  View,  Calif.,  sug¬ 
gests  that  we  need  to 
rethink  our  spam  de¬ 
fenses.  “The  war  on 
spam  as  we’ve  been 
fighting  it  isn’t  work¬ 
ing,”  he  says.  Habeas’ 
goal  is  to  make  mes¬ 
sage  senders  prove 
themselves  as  legiti¬ 
mate  e-mailers.  Habeas  estab¬ 
lishes  an  accreditation  and 
reputation  score  for  senders. 
Its  namesake  technology  cre¬ 
ates  profiles  of  senders’  prac¬ 
tices  that  can  be  detected  by 
antispam  tools,  such  as  the 
open-source  SpamAssassin  3.1 
software  due  out  next  month. 
“We’re  building  the  iiber- 
whitelist  for  the  Internet  —  a 
trust  network  for  e-mail,” 
Cahill  says.  O  53213 
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Messages 
Arcos  4.0  can 
send  per  hour. 


CAHILL: 

Rethink  your 
spam  efenses. 


What  would 
ou  <  with  a 

10,000  CPU  grid? 

ay  to  find  out. 


Intro  ducing  the  Sun  Grid  for  $i/cpu-hr. 
The  network  is  your  computer. 

If  you’re  paying  more  than  $l/cpu-hr  to  build  and  run  your  own  grid,  you’re  overpaying.  Because  that’s  the  price  at  which 
our  grid  is  available  to  you.  Pay  $l/cpu-hr,  and  leverage  our  capital  spend,  SPARC®  or  x86  computers,  storage,  and  facilities 
to  run  your  business.  From  Monte  Carlo  simulations  to  reservoir  simulation.  Protein  modeling  to  movie  rendering,  l  cpu  to 
as  many  as  you  could  conceive.  No  minimum  commitment,  no  maximum.  Stretch  your  dollar  at  sun.com/sungrid 
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Data  Thefts  Prompting 
IT  Security  Checks 


Stricter  rules, 
encryption  among 
options  considered 

BY  LUCAS  MEARIAN 

ank  of  America 
Corp.’s  loss  of  credit 
card  data  on  some 
1.2  million  customers, 
along  with  other  recent  securi¬ 
ty  incidents,  has  renewed 
interest  among  some  IT  execu¬ 
tives  in  encrypting  data  writ¬ 
ten  to  backup  tapes.  But  others 
maintain  that  simply  following 
existing  data-protection  rules 
can  prevent  such  losses. 

Drew  West,  vice  president 
of  engineering  services  at  First 


National  Bank  of  Arizona 
in  Phoenix,  said  his  bank  is 
looking  into  encrypting  the 
data  it  stores  on  tape,  as  well 
as  other  methods  of  increasing 
data  security. 

“We  will  be  deploying 
additional  encryption  method¬ 
ologies  as  well  as  harder  au¬ 
thentication,”  West  said. 
“There  are  quite  a  bit  of  re¬ 
sources  being  focused  on  it.” 

Rich  Mogul,  an  analyst 
at  Gartner  Inc.,  said  recent 
cases  of  data  loss  or  identify 
theft  through  hacking  have 
definitely  accelerated  plans  at 
financial  services  firms  to  roll 
out  greater  data-protection 
schemes. 


“There’s  a  reasonably  wide¬ 
spread  use  of  encryption ...  as 
well  as  content-monitoring 
and  -filtering  tools,”  he  said.  “I 
think  it’s  the  fear  factor  that’s 
probably  driving  it  more  than 
anything  else.” 

On  the  other  hand,  Scott  Jef¬ 
feries,  an  independent  IT  con¬ 
sultant  who  works  at  a  large 
Wall  Street  firm,  said  that  any 
outcry  for  using  complex  se¬ 
curity  techniques  such  as  en¬ 
crypting  data  on  backup  tapes 
has  so  far  been  muted  because 
there  is  too  much  processing 
overhead  involved  in  the  tech¬ 
nology. 

Jefferies,  who  declined  to 
identify  his  current  client, 


Data  Security  Options 


■  Encrypt  data  that’s  in  tran¬ 
sit  or  has  been  archived. 

■  Employ  content  monitor¬ 
ing  tools  to  identify  propri¬ 
etary  data  in  e-mail. 

■  Review  password  permis¬ 
sions,  access  rolls  and 
end-user  entitlements. 


maintained  that  adherence  to 
existing  security  processes 
can  oftentimes  eliminate  or 
mitigate  security  problems. 

For  example,  companies  need 
to  keep  a  tighter  handle  on 
password  permissions  and 
end-user  access  privileges  to 
prevent  theft  by  disgruntled 
workers  or  former  employees. 

“Things  in  the  news  that  are 
huge  right  now  are  one-off  is¬ 
sues.  I  don’t  think  they’re  sys¬ 
temic  or  point  to  a  pattern  or  a 
huge  hole  necessarily,”  he  said. 


Wireless  Helps  on  Homeland 
Security,  but  IT  Gaps  Remain 


BY  MATT  HAMBLEN 

NEW  ORLEANS 

The  wireless  technologies 
available  to  police,  fire  and 
other  emergency  workers 
have  improved  since  the  9/11 
terrorist  attacks,  according  to 
a  panel  of  government  offi¬ 
cials  and  vendor  executives 
who  spoke  at  last  week’s  CTIA 
Wireless  2005  conference. 

But  they  said  during  the 
panel  discussion  and  in  later 
interviews  that  much  work 
remains  to  be  done  to  improve 
the  interoperability  of  wire¬ 
less  devices  for  emergency 
responders  and  to  set  up  effec¬ 
tive  warning  systems  in  the 
event  of  another  terrorist  at¬ 
tack  or  a  natural  disaster. 

The  widespread  lack  of  in¬ 
teroperability  among  public 
safety  networks  is  one  of  the 
most  serious  homeland  securi¬ 
ty  shortcomings,  panelists 
noted.  “It’s  going  to  take  time 
to  solve  that  problem,  and  it’s 
unfortunate,”  said  moderator 
Christopher  Guttman-McCabe, 


assistant  vice  president  for 
regulatory  policy  and  home¬ 
land  security  at  the  CTIA, 
the  Washington-based  trade 
group  that  sponsored  the  con¬ 
ference  here. 

As  an  example  of  the  dispar¬ 
ities  that  now  exist,  the  Ten¬ 
nessee  Valley  Authority  has 
38  different  wireless  networks 
used  by  various  personnel, 
said  one  audience  member,  a 
communications  engineer  at 
the  TVA  who  asked  not  to  be 
named.  The  engineer  added 
that  20  of  the  networks  are 
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CHRISTOPHER  GUTTMAN-MCCABE, 

ASSISTANT  VICE  PRESIDENT,  CTIA 


now  being  consolidated  into  a 
single  one  based  on  Nextel 
Communications  Inc.’s  tech¬ 
nology.  The  project  with  Nex¬ 
tel  will  hopefully  simplify  a 
complex  system,  although  fur¬ 
ther  consolidation  would  help, 
he  said. 

Some  police  and  fire  per¬ 
sonnel  are  forced  to  carry  sev¬ 
eral  wireless  radios  or  have  to 
yell  through  bullhorns  at 
emergency  scenes,  said  Jim 
Dailey,  director  of  the  office  of 
homeland  security  at  the  Fed¬ 
eral  Communications  Com¬ 
mission.  The  problem  is  politi¬ 
cal  as  well  as  technological, 
Dailey  noted;  he  and  other 
panelists  said  that  different  ju¬ 
risdictions  in  large  metropoli¬ 
tan  areas  often  want  to  retain 
control  of  their  own  networks. 

Metropolitan  regions  might 
be  able  to  increase  coopera¬ 
tion  among  cities  and  towns 
by  developing  Wi-Fi  mesh 
networks  for  transmitting  in¬ 
formation,  said  Ron  Sege, 
president  of  Tropos  Networks 


Inc.,  which  has  installed  out¬ 
door  Wi-Fi  routers  in  more 
than  125  cities  nationwide. 

The  problem  with  using 
Wi-Fi  for  emergency  purposes 
is  that  the  networks  operate 
in  unlicensed  radio  spectrum, 
which  makes  them  vulnerable 
to  interference,  said  Guttman- 
McCabe.  But  technologies 
could  be  developed  to  prevent 
such  vulnerabilities,  he  added. 

Wireless  network  operators 
responded  quickly  to  a  call 
from  President  Bush  for  Wire¬ 
less  Priority  Service  capabili¬ 
ties  after  Sept.  11, 2001,  said 
John  Graves,  WPS  program  di¬ 
rector  for  the  Department  of 
Homeland  Security’s  National 
Communications  System  unit. 
WPS  lets  an  emergency  re¬ 
sponder  using  a  wireless  de¬ 
vice  equipped  with  a  special 
code  be  put  at  the  head  of  the 
line  of  wireless  calls  running 
over  a  network,  Guttman- 
McCabe  said.  ©  53242 


MORE  NEWS  ONLINE 

EDS  teams  up  with  a  consulting  firm  to 
support  mobile  virtual  network  operators: 

QuickLink  53246 

BlackBerry  users  will  get  access  to  cor¬ 
porate  apps,  instant  messaging  services: 

QuickLink  53203 
www.computerworld.com 


Some  firms  had  started  en¬ 
cryption  efforts  before  the  re¬ 
cent  data-theft  incidents. 

For  six  months,  Boeing  Em¬ 
ployees  Credit  Union  (BECU) 
has  been  encrypting  all  data 
written  to  backup  tapes  using 
an  appliance  from  Decru  Inc. 
in  Redwood  City,  Calif.,  in  or¬ 
der  to  protect  against  unau¬ 
thorized  access  to  information 
that  is  moved  off-site.  The 
Tukwila,  Wash.-based  credit 
union  uses  Iron  Mountain  Inc. 
to  move  140  tapes  every  week 
to  a  long-term  archival  site 
from  four  main  data  centers. 

Backup  Plans 

Daniel  Chow,  IT  systems  and 
security  engineer  at  BECU, 
said  Decru’s  DataFort  T-Series 
storage  security  appliance 
adds  no  latency  to  his  backup 
process.  However,  it  has 
caused  the  Hewlett-Packard 
Co.  disk  arrays  it  is  backing  up 
to  need  rebooting  from  time 
to  time  because  HP  has  yet  to 
certify  the  DataFort  appliance 
with  its  servers  as  EMC  Corp. 
and  other  storage  vendors 
have  done. 

“There  were  technical  is¬ 
sues  we  had  to  spend  a  lot  of 
resources  to  resolve,”  Chow 
said.  Even  so,  he  said  the 
Decru  product  has  been  very 
reliable  for  his  daily  backups, 
which  involve  about  4TB 
of  data. 

Chow  noted  that  once  back¬ 
up  tapes  leave  a  data  center, 
officials  can  never  be  positive 
of  their  security.  “How  confi¬ 
dent  are  you  that  the  courier  is 
going  to  get  that  tape  [to  its 
destination]  and  not  lose  it?” 
he  asked. 

Bank  of  America  said  late 
last  month  that  it  had  it  noti¬ 
fied  the  U.S.  Department  of 
Defense  and  the  General  Ser¬ 
vices  Administration  that 
“a  few”  tapes  containing  ac¬ 
count  information  for  cus¬ 
tomers  of  the  GSA’s  SmartPay 
travel  cards  were  missing 
[QuickLink  52928].  Bank  of 
America  spokeswoman  Alex 
Trower  did  not  return  calls 
last  week  but  previously  said 
the  tapes  were  part  of  a  larger 
shipment  of  media  to  a  backup 
data  center.  She  wouldn’t  say 
whether  the  tapes  were  stolen. 
©  53237 


Looking  at  disk-based 
backup  but  not  sure  how 
to  make  it  happen ?  Get 
the  smarter  disk  backup 
solution — Pathlight ®  VX  2.0 
from  ADIC,  the  leading 
provider  of  tape  libraries 
for  open-systems  backup.  * 


PATHLIGHT  VX 


Disk-Based  Backup 

1  '  '  ‘ '  v-  - 

Smarter  disk-based  backup.  Pathlight  VX  2.0  uses  advanced  policy-based  data  management  to  merge  the 
capacity  of  disk  and  tape  into  a  single,  unified  solution.  Disk  gives  you  twice  the  backup  performance  of 
conventional  libraries — and  even  faster  restore.  Tape  delivers  scalability,  value,  secure  retention,  and  flexible 
disaster  recovery.  You  get  the  best  of  both  technologies  in  a  single  solution  that  slips-  right  jmo  your  existing 
backup  system. 
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capacity  of  disk  and  tape  into  a  single,  unified  solution.  Disk  gives  you  twice  the  backu 
conventional  libraries— and  even  faster  restore.  Tape  delivers  scalability,  value,  secure  rete 
disaster  recovery.  You  get  the  best  of  both  technologies  in  a  single  solution  that  slips  right 
backup  system.  ' 


Clear  investment  protection.  With  Pathlight  VX  2.0,  you  can  boost  your  backup  and  restore  whether  you 
need  a  system  for  3.8  TB  or  3,000  TB — and  pay  a  lot  less  for  it.  You  can  even  use  your  own  tape  library  as.pari 
of  the  system — tape  storage  can  be  supplied  by  one  of  ADIC's  intelligent  Scalar®1  libraries,  or  by 'your  legacy  ,  -V 


:a\ar°*  libraries,  or  by  your  legacy 

StorageTek  L-Series  system. 

Room  to  grow,  smarts  to  save.  Pathlight  VX  2.0  delivers  all  the  performance  of  disk  and  the  fault  tolerance 

of  RAID,  but  it  also  scales  to  meet  enterprise  capacity  demands  and  grows  easily  withyout  data— and -it  can'  > 
cut  your  costs  in  half  or  more  compared  to  conventional  products.  r  .V',’:  ' 


■Market  share  from  Gartner  Dataquest,  Tape  Automation  Systems  Market  Shares,  2003,  F.  Yale,  April  2004 


Visit  www.adic.com/pvx  to  get  your  free  GiassHouse  white  paper 
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THE  BRAINS  TO 


by  W.  Curtis  Preston,  Evaluating  Disk-Based  Backup  Solutions. 
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Ehbers  Found  Guilty 
Of  WorldCom  Fraud 

Former  WorldCom  Inc.  CEO 
Bernard  Ebbers  was  found  guilty 
on  all  charges  of  conspiracy  and 
fraud  brought  against  him  in  con¬ 
nection  with  the  $11  billion  in  ac¬ 
counting  misstatements  that  led 
to  the  telecommunications  giant’s 
bankruptcy.  Ebbers  could  receive 
85  years  in  jail  when  he  is  sen¬ 
tenced  June  13.  Ebbers’  attorney 
said  he  plans  to  appeal  the  verdict. 


IT  Manager  Gets 
Sentenced  for  Hack 

An  Orange,  Calif.,  IT  manager 
who  earlier  pleaded  guilty  to 
hacking  into  a  previous  employ¬ 
er’s  computer  network  has 
been  sentenced  to  five  months 
in  prison  and  ordered  to  pay 
$45,000  in  restitution.  According 
to  a  plea  agreement,  Mark  Erfurt 
broke  into  the  computer  systems 
of  Santa  Clara,  Calif.-based  Man¬ 
ufacturing  Electronic  Sales  Corp. 
in  January  2003.  At  the  time, 
Erfurt  was  an  employee  of  an 
MESC  competitor.  Centaur  Corp. 


Former  Qwest  CEO 
Faces  Charges 

The  U.S.  Securities  and  Exchange 
Commission  has  charged  former 
Qwest  Communications  Interna¬ 
tional  Inc.  CEO  Joseph  Nacchio 
with  fraud  and  other  securities- 
law  violations.  The  commission 
claims  that  from  1999  to  2002, 
Qwest  engaged  in  a  complex 
scheme  to  improperly  record  more 
than  $3  billion  in  revenue  and  ex¬ 
clude  $17.3  million  in  expenses. 


Akamai  Buys 
Rival  Speedera 

Content  delivery  specialist  Akamai 
Technologies  Inc.  last  week  an¬ 
nounced  that  it  plans  to  acquire 
Santa  Clara-based  rival  Speedera 
networks  Inc.  in  an  effort  to  boost 
its  standing  against  larger  man- 
aged-services  vendors.  The  $130 
million  stock  deal  is  expected  to  be 
completed  in  the  second  quarter. 
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Business  Process  Tools 
Seen  Lifting  Profits 


Financial  services 
firms  look  for  an 

edge  versus  rivals 

BY  LUCAS  MEARIAN 

INANCIAL  SERVICES 
firms  will  be  adopting 
business  process  man¬ 
agement  (BPM)  tools 
and  techniques  at  rates  out¬ 
pacing  those  of  other  indus¬ 
tries  this  year,  because  the 
efficiencies  and  cost  savings 
they  can  create  are  vital  in  an 
industry  quickly  losing  profit 
margins  as  products  become 
commodities. 

The  message  hasn’t  been 
lost  on  vendors.  For  example, 
EMC  Corp.  in  Hopkinton, 
Mass.,  is  updating  its  BPM 
suite  in  the  latest  version  of 
the  Documentum  enterprise 
content  management  platform 
set  to  be  unveiled  today  (see 
story  below). 

The  new  EMC  tool  enters  a 
field  crowded  with  offerings 
from  suppliers  like  FileNet 


Corp.,  Pegasystems  Inc.,  Tibco 
Software  Inc.  and  others. 

Vendors  of  such  tools  can 
find  significant  opportunities 
among  banks,  brokerages  and 
insurance  companies,  since 
these  businesses  can  run  more 
efficiently  and  boost  worker 
productivity  by  automating 
processes,  said  Peter  Redshaw, 
an  analyst  at  Gartner  Inc. 

No  Need  for  Paper 

One  of  the  drivers  of  BPM 
in  financial  services  is  the 
amount  of  electronic  imaging 
for  items  such  as  checks, 
mortgages  and  loan  applica¬ 
tions,  Redshaw  said,  noting 
that  Gartner  has  found  that 
BPM  is  spreading  quickly 
among  such  firms. 

Yet  Redshaw  said  banks  are 
moving  cautiously  for  fear  of 
exposing  sensitive  data  on  the 
Web-based  applications. 

The  First  National  Bank  of 
Arizona  said  that  by  rolling 
out  a  BPM  tool  from  Ultimus 
Inc.  in  Cary,  N.C.,  it  was  able 


[BPM]  saved 
an  enormous 
amount  of  produc¬ 
tion  time. 


KAREN  SCHEER,  OPERATIONS  AND 
TECHNOLOGY  BUSINESS  LIAISON. 
FIRST  NATIONAL  BANK  OF  ARIZONA 

to  eliminate  20  paper  forms 
related  to  access  to  selected 
corporate  data. 

Previously,  the  bank  used 
numerous  paper  forms  that  re¬ 
quired  multiple  signatures  for 
varying  levels  of  authorization. 

“It  saved  an  enormous 
amount  of  production  time 
having  that  one-stop  shopping 
versus  going  onto  our  Web 
sites  to  locate  the  forms  for 
signatures  and  then  get  them 
signed  and  follow  up  manual¬ 
ly,”  said  Karen  Scheer,  opera¬ 
tions  and  technology  business 
liaison  at  First  National  in 
Phoenix. 

Scheer  said  that  creating  a 


EMC  Unveils  New  Documentum  Version 


EMC  today  is  unveiling  a  new 
version  of  its  Documentum  con¬ 
tent  management  suite  based  on 
a  new  underlying  architecture 
that  the  company  says  can  fully 
integrate  individual  products  in 
the  suite. 

Version  5.3  adds  a  unified  ar¬ 
chitecture  that  lets  each  Docu¬ 
mentum  application  share  the 
same  code  base,  leading  some 
analysts  to  describe  the  package 
as  a  true  product  suite. 

“What's  new  is  that  they’ve 
now  pulled  together  disparate  el¬ 
ements:  workflow,  rules  engines 
and  content  management.  Now 
they  have  a  suite  of  offerings,” 
said  Peter  Redshaw,  an  analyst 
at  Gartner. 

EMC  is  looking  for  the  new 
version,  especially  its  updated 
business  process  management 


NEW  PRODUCT 


EMC  Documentum 
Version  5.3  includes: 

■  Documentum  Client 
for  Outlook 

■  Documentum  Content 
Transformation 
Services 

■  Documentum 
Collaboration  Services 

■  Documentum 
Business  Process 
Management 

■  Documentum  Reten¬ 
tion  Policy  Services 

tool  set,  to  increase  its  standing 
in  the  financial  services  industry. 

“Up  until  now,  we  couldn’t  sell 
into  insurance,  financial  applica¬ 


tions,  mortgage  processing  or 
loans,"  said  Lubor  Ptacek,  direc¬ 
tor  of  product  marketing  at 
EMC’s  Documentum  division. 

Documentum’s  Business 
Process  Manager  suite  can  now 
automate  exception  handling  for 
things  such  as  bounced  checks 
or  questionable  invoices. 

The  new  version  also  includes 
collaboration  tools  that  can  be 
used  to  automatically  invite  ap¬ 
propriate  business  users  into  an 
online  Web  forum  and  populate 
that  forum  with  data  related  to 
that  business  transaction.  Then 
the  decision  made  by  business 
users  in  the  forum  automatically 
triggers  settlement  of  the  excep¬ 
tion.  For  example,  in  the  case 
of  an  invoice,  the  tools  would 
authorize  payment. 

-  Lucas  Mearian 


centralized  database  for  all  in¬ 
formation  related  to  requests, 
as  well  as  a  central  online  lo¬ 
cation  for  requests  and  ap¬ 
provals,  simplified  manage¬ 
ment  tasks 

By  definition,  automating 
manual  processes  improves 
customer  service,  Redshaw 
said.  “Automating  things  done 
manually  on  paper  makes 
things  faster,  and  customer 
service  looks  better  —  like 
processing  a  loan  application 
in  six  days  instead  of  six 
weeks,”  she  said. 

Regulations  Compliance 

Sumitomo  Mitsui  Banking 
Corp.  in  Tokyo  used  the 
e-Work  BPM  tool  from  Meta¬ 
storm  Inc.  in  Columbia,  Md., 
to  facilitate  worldwide  Basel  II 
and  USA  Patriot  Act  compli¬ 
ance.  Rise  Zaiser,  vice  presi¬ 
dent  of  business  applications 
at  Sumitomo  Mitsui  Bank, 
said  it  cost  the  company  less 
than  $500,000  to  set  up  the 
system  at  a  data  center  in 
New  York. 

The  system  automates  the 
process  of  performing  back¬ 
ground  checks  on  new  bank¬ 
ing  customers  through  the 
U.S.  Department  of  the  Trea¬ 
sury’s  Office  of  Foreign  Assets 
Control,  Zaiser  said. 

Metastorm’s  e-Work  plat¬ 
form  also  allowed  the  bank  to 
create  a  globally  accessible 
system  for  tracking  customer 
activity  while  interfacing  with 
multiple  systems  to  decrease 
manual  input  and  improve 
data  accuracy  for  Basel  II, 
which  regulates  the  amount 
of  cash  reserves  a  bank  must 
have. 

“It  enabled  us  to  not  only 
set  up  standardized  processes 
to  capture  information,  [but] 
we  can  also  change  the  op¬ 
tions  people  have  for  filling  in 
[data]  fields  depending  where 
they  are  in  the  world.  For  ex¬ 
ample,  a  ZIP  code  is  a  term 
used  in  the  U.S.,  and  a  postal 
code  is  used  in  the  rest  of 
world,”  Zaiser  said. 

Many  of  the  processes  at  the 
bank  had  previously  been  per¬ 
formed  manually,  requiring 
personnel  to  stamp  or  sign 
forms  and  then  send  them  to 
other  employees  for  approval. 
©  53250 


MEANS  MORE  POWER 
MORE  AFFORDABLY 


ProCurve  Networking  by  HP  offers  a  range  of  affordable 
gigabit-enabled  switches  that  is  second  to  none.  That  means 
you  can  get  better  performance  from  your  network  along  with 
better  performance  from  your  networking  dollars.  Downloads 
that  used  to  take  minutes  can  now  be  done  in  seconds.  And  you 
can  do  it  for  cents.  Not  dollars.  That’s  high-availability  gigabit 
performance  at  the  edge — not  just  the  core  of  your  network. 
What’s  more,  ProCurve  gigabit-enabled  switches  are 
backed  by  a  lifetime  warranty* — perhaps  the  best  in  the 
industry.  More  affordability.  More  choice.  More  productivity. 


Find  out  how  to  get  the  power  of  gigabit  for  less. 

Visit  www.hp.com/networking/gigablt  for  our  latest  gigabit  promotions. 


HP  ProCurve  SWITCHES: 

2800,  3400, 4100  AND 

5300  SERIES 

•  Open  standards  enabling 
interoperability  and  ease 
of  integration 

•  Flexibility  of  stackable 
or  chassis  configuration 

•  Lifetime  warranty* 

•  Low  cost  of  ownership 

•  Legendary  service  and  support 


;  ProCurve  Networking 

HP  innovation 


CLICK  www.hp.com/networking/gigabit  CONTACT  your  local  HP  reseller 


♦Lifetime  warranty  applies  to  all  ProCurve  Products,  excluding  the  ProCurve  routing  switch  9300m  Series  and  Secure  Access  700wl  Series,  which  have  a  one-year  warranty  with  extensions  available 
©2004  Hewlett-Packard  Development  Company.  L.P 
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Opponents  May  Derail 
U.K.  Biometric  ID  Card 

LONDON 

ACING  LIKELY  DEFEAT  in  the 
House  of  Lords  this  week,  legisla¬ 
tion  to  create  a  national  identity 
card  program  is  expected  to  be  shelved 
by  U.K.  government  officials  until  after 
the  next  general  election. 

The  Identity  Cards  Bill  would  create 
by  2010  a  system  of  ID  cards  with  em¬ 
bedded  chips  that  carry  personal  infor¬ 
mation  and  biometric  identifiers,  all 
stored  in  a  massive  database  called  the 
National  Identification  Register.  But 
government  ministers,  who  expect  stiff 
resistance  in  the  House  of  Lords,  re¬ 
portedly  plan  to  table  the  bill  and  rein¬ 
troduce  it  sometime  after  the 
May  election. 

The  Identity  Cards  Bill 
was  approved  by  the 
House  of  Commons  in 
February.  Prime  Minister 
Tony  Blair  has  insisted 
that  the  ID  cards  are 
needed  to  fight  identity 
fraud,  illegal  immigration, 
terrorism  and  improper 
use  of  the  National  Health 
System.  But  critics  of  the 
bill  have  said  that  the  ID 


cards  would  be  a  violation  of  privacy 
rights  and  that  the  biometric  tests 
would  incorrectly  identify  individuals 
10%  to  15%  of  the  time. 

■  LAURA  ROHDE,  IDG  NEWS  SERVICE 


Perot  Plans  Acquisitions 
To  Boost  Global  Reach 

BANGALORE,  INDIA 

erot  systems  CORP.,  an  IT  and 
business  process  outsourcing 
vendor  based  in  Plano,  Texas, 
plans  acquisitions  in  India,  Eastern 
Europe,  Russia,  China  and  Mexico  to 
meet  customer  demands,  Chairman 
Ross  Perot  Jr.  told  reporters  here 
last  week. 

“We  do  follow  our  customers,  and 
we  have  customers  who  are  now  in 
Eastern  Europe  and  China,  and  they 
are  asking  us  to  continue 
to  build  capabilities  there, 
which  we  will  do,”  Perot 
said.  “We  also  have 
clients  who  are  looking  at 
Mexico  and  the  rest  of 
South  America,  and  we 
need  to  build  up  capacity 
there,  too.” 

Perot  was  in  India  for 
the  company’s  board 
meeting,  which  was  held 


GLOBAL  FACT 


Percentage  of  European 
IT  managers  who  fear 
they  will  lose  their  job 
after  a  security  breach. 

SOURCE:  WEBSENSE  INC. 
SURVEY  OF  500  EUROPEAN 
IT  MANAGERS 


for  the  first  time  in  the  country  to 
underscore  its  importance  in  the 
company’s  strategy.  About  4,500  of 
Perot’s  15,000  employees  are  in  India. 
■  JOHN  RIBEIR0,  IDG  NEWS  SERVICE 


Bank  in  South  Africa 
Adds  Cell  Phone  Access 

JOHANNESBURG 

First  national  bank  of  South 
Africa,  a  unit  of  FirstRand  Bank 
Ltd.,  recently  launched  cell¬ 
phone-based  banking  for  customers, 
including  those  in  rural  and  under¬ 
served  areas  where  wireless  phones 
are  common  but  automated  teller  ma¬ 
chines  are  not. 

Cell  phone  users  register  for  the  ser¬ 
vice  and  send  text  via  Short  Message 
Service  to  a  five-digit  number.  To  get 
an  account  balance,  for  example,  the 
customer  sends  a  message  reading 
“balance”  to  phone  number  31321.  The 
bank  then  requires  a  personal  identifi¬ 
cation  number  before  providing  the  re¬ 
quested  information  or  transaction. 

The  fee-based  service  offers  only 
basic  functions,  according  to  the  bank, 
such  as  the  ability  to  obtain  a  mini¬ 
statement  of  the  past  three  transac¬ 
tions,  get  account  balances  and  trans¬ 
fer  money  between  a  customer’s  First 
National  accounts.  O  53211 
■  NICOLAS  CALLEGARI, 

COMPUTING  SOUTH  AFRICA 


Compiled  by  Mitch  Betts. 


Briefly  Noted 

South  Korea’s  government  recent¬ 
ly  complained  that  Microsoft 
Corp.’s  software  prices  can  be 
three  times  higher  in  South  Korea 
than  in  the  U.S.  A  government  re¬ 
port  said,  for  example,  that  Micro¬ 
soft  SQL  Server  2000  Enterprise 
for  25  clients  costs  18  million  won 
in  Korea  -  the  equivalent  of 
$17,930  U.S.  -  but  costs  $4,790  in 
the  U.S.  A  spokesman  for  Seoul- 
based  Microsoft  Korea  said  that 
prices  are  set  by  retailers. 

■  SEUNGEUN  MYUNG, 

IT  WORLD  KOREA 


Vodafone  Group  PLC,  a  wireless 
operator  based  in  Newbury,  U.K., 
will  add  5.7  million  customers  in 
Eastern  Europe  with  last  week’s 
$3.5  billion  acquisition  of  the  Ro¬ 
manian  and  Czech  units  of  Telesys¬ 
tem  International  Wireless  Inc., 
which  is  based  in  Montreal. 

■  LAURA  ROHDE.  IDG  NEWS  SERVICE 


Microsoft  said  last  week  that  its 
stripped-down  Windows  XP  Starter 
Edition  will  be  launched  in  India  in 
June,  initially  in  the  Hindu  language. 

■  JOHN  RIBEIR0.  IDG  NEWS  SERVICE 


Buyout  Wave  Pushes  ASPs 
Into  Deals  With  Big  Vendors 

Users  anticipate  potential  benefits  of 
increased  efficiencies  and  lower  costs 


BY  PATRICK  THIBODEAU 

About  a  month  ago,  Mumbai, 
India-based  Mphasis  BFL  Ltd. 
contacted  Victor  Rodriguez, 
CIO  at  Carolina  Care  Plan 
Inc.,  to  discuss  its  business 
process  outsourcing  (BPO) 
services.  Mphasis  officials  also 
asked  Rodriguez  about  Eldora¬ 
do  Computing  Inc.,  which 
provides  the  health  benefits 
management  system  used  by 
the  Columbia,  S.C.,  company. 

It  was  the  first  time  Rod¬ 
riguez  had  heard  from  Mpha¬ 
sis,  and  he  suspected  that  the 
call  was  part  of  an  effort  to 
feel  out  Eldorado’s  customers 


about  a  potential  partnership 
between  the  two  companies. 
But  it  turns  out  there  was 
more  to  the  call  than  that. 

Last  week,  Mphasis  an¬ 
nounced  that  it  has  agreed  to 
purchase  Phoenix-based  Eldo¬ 
rado  for  $16.5  million.  Al¬ 
though  it  is  a  relatively  small 
deal,  the  acquisition  is  none¬ 
theless  part  of  an  accelerating 
merger  trend  in  which  large 
IT  services  vendors  are  buy¬ 
ing  application  service  pro¬ 
viders  (ASP). 

Rodriguez  said  that  at  least 
in  the  case  of  the  Mphasis/ 
Eldorado  deal,  he  sees  poten¬ 


tial  benefits  for  users  like  him. 
“We  have  the  possibility  for 
Mphasis  and  Eldorado  to 
leverage  a  partnership  and 
bring  a  more  cost-effective 
organization,”  he  said. 

Carolina  Care  uses  Eldora¬ 
do’s  Healthware  ASP  service 
for  its  core  benefits  manage¬ 
ment  application,  and  the 
company  outsources  its  claims 
processing  work  to  a  separate 
BPO  vendor.  Bringing  those 
two  activities  together  under 
one  vendor  may  bring  some 
efficiencies  and  lower  costs, 
Rodriguez  said. 

He  added  that  he  will  close¬ 
ly  monitor  Eldorado’s  perfor¬ 
mance  and  that  he  thinks  its 
service  levels  “may  take  a  hit” 
as  the  details  of  the  planned 
acquisition  are  ironed  out.  But 
Rodriguez  said  he  doesn’t  an¬ 
ticipate  any  major  problems 
with  the  ASP. 

In  a  related  development, 


IBM  last  week  said  it  had  com¬ 
pleted  a  $182  million  acquisi¬ 
tion  of  Corio  Inc.,  a  San  Car¬ 
los,  Calif.-based  company  that 
deploys  and  manages  ERP  and 
CRM  applications.  IBM  plans 
to  use  Corio’s  operations  to 
broaden  the  application  ser¬ 
vices  portfolio  offered  by  its 
Global  Services  unit. 

And  in  January,  Sun  Micro¬ 
systems  Inc.  bought  Seven- 
Space  Inc.,  an  Ashburn,  Va.- 
based  managed  services  firm 
that  remotely  supports  enter¬ 
prise  applications  and  other 
technologies  on  systems  from 
Sun  and  rival  vendors. 

Checking  the  Pulse 

ASP  customers  should  “do  a 
pulse  check  on  that  relation¬ 
ship,”  said  Meta  Group  Inc. 
analyst  Dane  Anderson,  who 
recommended  that  IT  man¬ 
agers  review  their  service- 
level  agreements  and  consider 


preparing  contingency  plans 
in  light  of  the  recent  acquisi¬ 
tion  activity. 

Joseph  Sorisi,  CIO  at  Plat¬ 
form  Learning  Inc.,  a  New 
York-based  company  that  pro¬ 
vides  tutoring  services  to 
some  50,000  students  around 
the  U.S.,  said  that  even  in  a  sit¬ 
uation  where  an  IT  vendor 
buys  an  ASP  and  wants  to 
move  its  offerings  to  a  differ¬ 
ent  hardware  platform,  users 
should  still  have  some  power 
under  their  contracts.  “The 
customer  has  control  over  the 
timelines,”  Sorisi  said. 

Platform  Learning  has  used 
hosted  software  from  Nsite 
Inc.  in  Pleasanton,  Calif.,  to  au¬ 
tomate  many  of  its  paper-based 
business  processes.  Sorisi  said 
the  ASP  model  has  saved  him 
from  having  to  hire  new  IT 
staffers  and  to  invest  in  main¬ 
taining  and  supporting  appli¬ 
cations  internally.  ©  53255 
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Microsoft 


NO  MATTER  HOW  YOU  STACK  IT,H 
CHECKFREE  FOUND  WINDOWS  DELIVERS 
24%  LOWER  TCO  THAN  RED  HAT  LINUX. 


■ 


"We  conducted  stringent  testing  and  chose 
the  Microsoft®  solution  for  its  unified  stack, 
which  saves  time  and  money  on  integration 
and  maintenance.  These  factors  combined 
to  give  the  Microsoft  stack  a  24  percent 
lower  total  cost  of  ownership  compared 
to  other  solutions." 

—  Randy  McCoy,  CTO, 

CheckFree  Corporation 


CheckFree  Corporation  powers  millions  of  financial  transactions  daily  for 
thousands  of  financial  institutions.  As  home  to  one  of  the  world's  largest 
databases,  they  needed  to  reduce  their  cost  per  transaction  while  maintaining 
performance  and  quality.  So  they  conducted  a  stringent  benchmark  test  of 
an  IBM  solution  stack  including  Red  Hat  Linux  9,  IBM  DB2,  and  J2EE  against 
a  Microsoft  solution  featuring  Windows  Server™  2003,  SQL  Server™2000, 
and  the  .NET  Framework.  Because  the  Microsoft  stack  delivered  14%  faster 
transaction  rates  and  24%  better  TCO,  CheckFree  chose  the  Windows’  platform 
for  the  next  generation  of  their  Investment  Services  platform. 

To  get  the  full  case  study,  other  case  studies,  and  other  third-party  findings, 

go  to  microsoft.com/getthefacts 


C  2005  Microsoft  Corporation.  All  rights  reserved.  Microsoft,  SQL  Server,  Windows,  the  Windows  logo,  Windows  Server,  and  Windows  Server  System  are  either  registered  trademarks  or 
trademarksof  MicrosoftCorporationintheUnited  Statesand/or  other  countries.  The  names  of  actual  companiesand  products  mentioned  herein  may  be  the  trademarks  of  theirrespectiveowners 
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BI  Tools 

ager  at  Briggs  &  Stratton. 
“Show  me  those  things  that 
are  within  my  area  that  are  not 
within  norms  or . . .  are  head¬ 
ing  for  a  collision  course.” 

For  example,  the  portal  can 
alert  accountants  that  correct 
accounting  procedures  are 
not  in  place  to  handle  orders 
as  a  new  engine  is  set  to  be 
shipped,  Felsing  said.  Before 
the  BI  was  embedded  in  its 
processes,  the  company  would 
have  to  take  orders  out  of  the 
system,  re-enter  the  correct  ac¬ 
counting  information  and  then 
re-enter  orders  the  next  day  to 
ensure  that  the  products  would 
ship  correctly,  he  explained. 

Growing  Market 

SAS,  Information  Builders  and 
Cognos  are  among  a  growing 
number  of  vendors  making  a 
push  into  operational  BI,  said 
Keith  Gile,  an  analyst  at  For¬ 
rester  Research  Inc. 

“Businesses  want  to  get 
more  value  out  of  all  of  the 


IT  managers  hope 
to  gain  insights 
on  cultural  issues 

BY  THOMAS  HOFFMAN 

IT  managers  from  AAA,  Visa, 
The  Boeing  Co.  and  other 
companies  today  will  hold  the 
inaugural  meeting  of  an  asso¬ 
ciation  looking  to  exchange 
ideas  and  best  practices  for  IT 
portfolio  management. 

The  organization,  known 
as  the  Portfolio  Management 
Council,  is  being  spearheaded 
by  San  Retna,  chief  portfolio 
officer  at  San  Francisco-based 
AAA  of  Northern  California, 
Utah  and  Nevada.  The  gene¬ 
sis  of  the  group,  said  Retna, 
comes  from  the  need  for  IT 
portfolio  managers  to  be  able 
to  dive  into  the  “nuts  and 
bolts”  of  portfolio  manage¬ 
ment  strategies  and  chal¬ 
lenges. 


NEW  PRODUCT 

Information  Builders’ 
WebFocus  7 

New  features  include: 

*  Native  access  to  more  than 
200  sources  ot  data,  including 
relational  and  legacy  databas¬ 
es,  enterprise  applications  and 
data  warehouses,  and  opera¬ 
tional  systems. 

■  The  ability  to  read  data  as  a 
Web  service. 

s  Automatic  server  fail-over  if 
queries  exceed  capacity. 

■  Support  for  query  simulation  to 
determine  how  many  servers  will 
be  needed  for  specific  queries. 


data,  not  just  the  data  ware¬ 
house.  Many  of  the  real-time 
decisions  that  need  to  be 
made  must  be  made  while  the 
process  is  happening,  like 
while  the  customer  is  on  the 
phone  or  when  the  patient  is 
being  treated,”  Gile  said. 

New  York-based  Information 
Builders  earlier  this  month  un¬ 
veiled  WebFocus  7,  a  BI  tool  set 
geared  toward  providing  oper- 


For  instance,  said  Retna,  at 
industry  conferences,  IT  port¬ 
folio  management  discussions 
tend  to  take  a  high-level  view 
of  the  issues.  In  contrast,  he 
and  other  members  of  the 
council,  which  also  includes 
representatives  from  Safeway 
Inc.  and  Washington  Mutual 
Inc.,  plan  to  explore  more  day- 
to-day  challenges.  That  could 
include  discussions  of  how 
portfolio  management  prac¬ 
tices  can  affect  staffing,  and 
dealing  with  the  cultural  as¬ 
pects  of  putting  an  IT  gover¬ 
nance  committee  into  place, 
for  example. 

“Some  organizations  have 
been  able  to  make  the  cultural 
changes  necessary  to  put  gov¬ 
ernance  councils  in  place,” 
said  Retna.  “What  can  we 
learn  from  them?” 

Dana  Gardner,  an  analyst  at 
The  Yankee  Group  in  Boston 
and  a  member  of  the  council, 


ational  BI.  It  includes  native 
access  to  more  than  200  data 
sources  through  integration 
adapters  from  the  vendor’s 
iWay  Software  subsidiary. 

Information  Builders  and 
iWay  have  historically  market¬ 
ed  their  products  separately, 
but  they  are  now  integrating 
iWay’s  integration  and  meta¬ 
data  management  tools  into 
WebFocus  7  to  meet  a  growing 
market  for  operational  BI,  said 
Michael  Corcoran,  vice  presi¬ 
dent  of  Information  Builders. 

Scheduled  to  ship  next 
month,  WebFocus  7  will  pro¬ 
vide  access  to  relational  and 
legacy  data,  data  from  enter¬ 
prise  applications  and  data 
warehouses,  and  data  from  op¬ 
erational  systems,  he  said. 

Montreal-based  Pharma- 
science  Inc.,  a  beta  user  of 
WebFocus  7,  is  hoping  that  the 
new  integration  features  will 
help  the  pharmaceutical  com¬ 
pany  better  manage  inventory, 
said  Jonathan  Despres,  mana¬ 
ger  of  information  access. 

Now,  inventory  information 
can  be  delayed  by  as  much  as 
a  week,  Despres  said.  Linking 


said  he  anticipates  that  the 
group  will  broaden  IT  man¬ 
agers’  understanding  about 
how  IT  and  business  objec¬ 
tives  can  be  better  aligned. 

“The  goals  are  to  raise  the 
consciousness  of  enterprises 
to  some  of  these  issues  and 
build  some  discussion  around 
how  to  get  started,”  said  Gard- 


AT  A  GLANCE 

Portfolio 

Management 

Council 

A  newly  created  asso¬ 
ciation  whose  members  (pre¬ 
dominantly  IT  managers)  will 
meet  to  discuss  best  practices 
and  share  ideas  on  IT  portfolio 
management  strategies. 

AAA  of  Northern 
California,  Utah  and  Nevada; 
Washington  Mutual;  Visa; 
Hewlett-Packard;  Boeing; 
Safeway;  Port  of  Portland; 

The  Yankee  Group 

To  be  determined 

this  week 


WebFocus  7  to  the  company’s 
SAP  data  warehouse  —  a  goal 
of  the  firm  —  would  allow  in¬ 
ventory  information  to  be  in¬ 
cluded  in  product  warehouse 
businesses  process,  he  said. 

“If  [users]  get  information  de¬ 
layed  by  a  week,  it’s  almost 
impossible  to  reduce  the  in¬ 
ventory  level,”  he  said. 

Alaska  Airlines  Inc.  in  the 
past  two  months  has  begun 
deploying  business  analytics 
tools  from  Siebel  Systems  Inc. 
in  its  marketing  organization. 
The  tools  will  be  integrated 
with  Alaska  Air’s  customer 
management  system  and  will 
incorporate  data  from  Sabre 
Holdings  Corp.’s  Sabre  reser¬ 
vations  system,  said  James 
Archuleta,  director  of  CRM  at 
the  Seattle-based  airline. 

The  Siebel  tools  will  enable 
Alaska  Air  to  tie  together  loy¬ 
alty  program  and  flight-sched¬ 
uling  databases  with  a  meta¬ 
data  layer  from  the  Siebel  tech¬ 
nology.  Call  center  representa¬ 
tives  will  then  have  updated 
customer  information  in  then- 
desktop  applications,  said 
Archuleta.  0  53247 


ner.  “It’s  one  thing  to  have  a 
vision  and  have  an  end  goal; 
it’s  another  thing  to  put  it  into 
practice.” 

Gardner  said  that  this  is  the 
first  IT  portfolio  management 
user  group  he’s  aware  of  that 
isn’t  being  driven  by  a  vendor, 
a  trade  group  or  a  market  re¬ 
search  firm. 

Retna  said  the  group  in¬ 
tends  to  tackle  four  specific 
areas  over  the  next  six  to  12 
months:  determining  whether 
an  IT  organization  has  invest¬ 
ed  in  the  most-effective  IT 
projects;  has  the  capacity  and 
resources  to  execute  on  those 
projects;  has  the  ability  to  ad¬ 
dress  the  change  management 
aspects  associated  with  IT 
portfolio  management;  and 
can  judge  whether  IT  projects 
are  delivering  their  anticipat¬ 
ed  returns. 

Retna  said  the  group’s  mem¬ 
bers  plan  to  discuss  in  San 
Francisco  this  week  some  of 
the  logistics  for  the  organiza¬ 
tion,  including  the  naming  of 
officers  and  how  often  they  in¬ 
tend  to  meet.  O  53235 


Group  Offers 
Sarb-Ox 
Certification 
Program 

Courses  target  IT, 
finance  personnel 

BY  THOMAS  HOFFMAN 

An  online  community  for 
Sarbanes-Oxley  practitioners 
last  week  introduced  a  set  of 
certification  courses  aimed  at 
determining  the  proficiencies 
of  IT  and  accounting  profes¬ 
sionals  around  the  congres¬ 
sional  regulatory  mandate. 

The  Clifton,  N.J.-based 
Sarbanes  Oxley  Group  of 
Auditors  and  Professionals, 
known  as  SOXGAP,  is  plan¬ 
ning  to  hold  two  training 
workshops  in  New  York, 
on  April  2  and  3. 

The  first  course,  called 
SOXBase,  requires  that  par¬ 
ticipants  pass  a  qualifying 
exam  that  tests  their  funda¬ 
mental  understanding  of  the 
Sarbanes-Oxley  Act  of  2002, 
said  Sanjay  Anand,  chairman 
of  the  group,  which  was 
founded  in  2003.  A  second 
course,  called  SOXPro,  re¬ 
quires  that  candidates  already 
have  Sarbanes-Oxley  experi¬ 
ence  and  proficiencies. 

The  courses  are  offered  to 
auditors  and  nonauditing  pro¬ 
fessionals,  including  workers 
from  human  resources,  legal, 
ethics  and  other  departments 
who  are  or  expect  to  become 
involved  in  Sarbanes-Oxley- 
related  compliance  efforts, 
according  to  Anand. 

Anand  said  the  group  is 
trying  to  keep  the  class  size 
at  about  12  to  15  people  in 
order  to  maintain  an  accept¬ 
able  student-to-teacher  ratio 
and  to  encourage  classroom 
interaction. 

The  cost  of  the  two-day 
class  is  $2,295. 

A  second  set  of  classes  is 
being  planned  for  Los  Angeles 
in  late  October,  said  Anand. 
Meanwhile,  courses  may  be 
added  for  other  U.S.  cities 
this  summer  based  on  de¬ 
mand,  he  said.  O  53241 
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APC  solutions  that  carry 
the  " Blade-Ready "  Logo 
are  designed  to  handle  the 
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requirements  of  high-density 
blade  server  applications. 
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standard-  or  high-density  site  of  aj 
with  scalable,  top-tier  availability. 
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IT  Leaves  Tax  Savings  out  of  the  Equation 


BY  THOMAS  HOFFMAN 

Though  IT  managers  continue 
to  be  under  enormous  pressure 
to  cut  costs,  more  than  70%  of 


U.S.  corporations  fail  to  include 
tax  departments  in  IT  procure¬ 
ment  decision-making,  accord¬ 
ing  to  a  survey  of  more  than 


200  IT  and  finance  executives 
conducted  by  Deloitte  Consult¬ 
ing  and  IDC. 

Raffi  Markarian,  a  principal 


with  Deloitte  Tax  LLP’s  ERP 
Integration  Services  practice  in 
Chicago,  last  week  discussed 
with  Computerworld  what 
steps  IT  organizations  can 
take  to  recognize  potential  tax 
savings. 


BMC  SOFTWARE  AND  ITS  REMEDY  SOLUTIONS 
MANAGE  IT  CHANGE.  MANAGE  THE  BUSINESS 


80%  of  IT  failures  are  a  result  of  poorly  managed  change. 

If  you  could  harness  these  IT  changes  and  reduce 
disruption  to  your  business,  wouldn't  you?  BMC 
Software's  Change  and  Configuration  Management  (CCM) 
solution,,  an  integral  part  of  Business  Service  Management, 
delivers  an  end-to-end  lifecycle  management  approach  to 
managing  change  processes,  configuration  control  & 
information  (CMDB),  and, discovery  &  detection. 


Remedy  Change  Management,  a  key  part  of  CCM,  is  an  ITIL- 
compatible  application  that  enables  IT  to  reduce  business 
outages  and  accelerate  responsiveness  to  change.  Plus,  our 
recent  acquisition  of  Marimba  brings  the  broadest  set  of 
policy-based  configuration  management  automation  products 
to  our  CCM  solution.  Now,  you  can  ensure  that  wide-scale 
change  is  implemented  smoothly,  efficiently,  and  reliably. 
Learn  more  at  www.remedy.com/ccm 
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Why  is  the  tax  function  so  often 
overlooked  during  the  IT  procure¬ 
ment  process?  There  appears  to 
be  a  gap  between  corporate 
departments,  particularly  be¬ 
tween  [the  IT  and  tax  depart¬ 
ments].  Global  2,000  [compa¬ 
nies’]  tax  departments  gener¬ 
ally  report  up  to  the  CFO 
function,  and  IT  is  a  different 
organization  in  the  company, 
and  the  two  just  don’t  cross 
paths,  which  is  unfortunate. 

As  CFOs  are  more  actively  in¬ 
volved  in  IT  investment  decisions, 
shouldn’t  they  be  aware  of  the 
need  to  include  tax  in  such  dis¬ 
cussions?  They 
should,  and  I’m 
hoping  that  recent 
trends  of  more  ac¬ 
tive  CFO  involve¬ 
ment  bodes  well. 

CFO  involvement 
seems  to  be  a  two¬ 
pronged  approach. 

[First],  they’re  ac¬ 
tively  involved  in  control  and 
Sarbanes-Oxley  issues.  The 
second  prong  is  an  insistence 
on  return-on-investment  and 
payback  scenarios. 

Do  most  IT  purchases  by  corpora¬ 
tions  qualify  for  federal  or  state 
R&D  tax  credits?  R&D  is  just 
one  aspect  of  many  different 
items.  I  would  say  that  it’s 
probably  not  a  majority  but  a 
minority  of  investments. 

What  type  of  investments  do  qual¬ 
ify  for  such  credits?  Generally, 

IT  investments  that  involve 
more-sophisticated  and  novel 
approaches,  such  as  RFID  as 
an  example.  Things  that  are 
not  as  ordinary. 

What  recommendations  would 
you  make  to  IT  procurement  offi¬ 
cers?  To  include  tax  in  some 
shape  or  form  in  the  decision¬ 
making  process.  To  include  tax 
considerations  as  early  as  pos¬ 
sible.  Then  to  ensure  that  ap¬ 
propriate  tax  representatives 
are  involved  through  the  life 
cycle  of  that  project  implemen-' 
tation.  It’s  a  cause-and-effect 
kind  of  thing.  Many  folks  on 
the  IT  side  aren’t  aware  that 
every  transaction  that  flows 
through  an  IT  system  has  a  tax 
implication  somewhere  along 
the  line.  ©  53214 
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High  Performance  Systems 
Implementation  Services 


FOR  SECURE 
COMMUNICATIONS 

How  do  you  make  information  more 
accessible  without  making  your  business 
more  vulnerable  to  a  growing  list  of  digital 
threats?  At  Insight,  we  help  businesses  plan, 
design  and  implement  secure  communication 
solutions  that  offer  exciting  new  efficiencies  - 


Leasing 


without  unwanted  risks.  Whether  you  are 


Security 


Software  Licensing 
Storage 

Trade-In  &  Asset  Disposal 
Training 

Warranty  Programs 
Wireless  Solutions 

ROBUST  PRODUCT 
SELECTION 

200,000+  Products 

1,500+  Manufacturers 


CASE  STUDY: 

Secure  Wi-Fi  Warehouse 

For  one  healthcare  supply  company,  safety  is  an 
important  business  driver.  So  when  they  wanted  to  gain 
the  efficiencies  of  wireless  in  their  distribution  centers, 
they  needed  to  make  sure  it  wouldn’t  compromise  security. 
Insight  brought  the  expertise  and  experience  to  help  with 
all  the  issues  -  from  access  points  and  handheld  devices 
to  a  security  policy  that  met  strict  HIPAA  requirements. 

The  result  is  a  secure  wireless  inventory  system  that’s 
good  for  the  clients  and  the  bottom-line. 
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Network  Solutions 
PC  Refresh 


Resource  Management 


securing  your  e-mail  systems  or  implementing 
wireless,  our  professional  Security  Practice 
will  help  you  fortify  your  infrastructure  so  that 
productivity  stays  up  and  digital  menaces  stay 
out.  Let  us  help  you  secure  your  IT  future. 
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DON  TENNANT 


An  Awkward  Position 


HIS  IS  COMING  to  you  from  a  creepily 
dark,  scarily  tiny  guest  room  at  the  W 
Hotel  in  Manhattan.  The  dark  creepi¬ 
ness  is  apparently  supposed  to  be  very 
chic  and  avant-garde,  but  it  doesn’t  do 


much  for  me  other  than 
give  me  the  willies. 

I’m  in  town  to  attend 
the  51st  annual  Jesse  H. 

Neal  National  Business 
Journalism  Awards  lun¬ 
cheon  because  Comput- 
erworld  was  a  finalist  for 
one  of  these  prestigious 
awards.  Having  just  re¬ 
cently  returned  from  the 
Premier  100  IT  Leaders 
Conference,  where  100 
of  your  peers  were  hon¬ 
ored  for  their  contributions  to  your 
profession,  it  was  cool  to  feel  a 
resurgence  of  that  rush  you  get  from 
seeing  hard  work,  dedication  and 
talent  acknowledged  and  rewarded. 

I  couldn’t  help  but  compare  the 
two  award  ceremonies  and  the  pro¬ 
fessions  they  honor.  I’m  sure  I  was 
as  struck  as  anyone  at  the  P100  con¬ 
ference  by  discussions  of  the  some¬ 
times  overwhelming  challenges  that 
the  P100  honorees  in  general,  and 
the  Best  in  Class  award  winners  in 
particular,  have  had  to  overcome  in 
the  course  of  doing  their  jobs.  IT  is, 
to  be  sure,  a  very  tough  and  de¬ 
manding  profession. 

As  IT  journalists,  we  do  our  best 
to  imagine  walking  in  your  shoes 
so  we  can  gain  an  appreciation  for 
what  keeps  you  awake  at  night.  But 
what  do  you  suppose  keeps  an  IT 
journalist  awake  at  night?  Besides 
the  night  sweats  stemming  from  be¬ 
ing  cooped  up  in  a  claustrophobic 
but  oh-so-chic  hotel  room,  I  mean. 

Sure,  there  are  the  constantly 
looming  deadlines,  but  your  profes¬ 
sion  has  those  as  well.  I’ve  found 
that  a  real  challenge  of  this  job  is  be¬ 
ing  in  a  position  in  which  you  have 
to  publicize  people’s  transgressions. 


oon  Tennant  is  editor  in 
chief  of  Computerworld. 
You  can  contact  him  at 

don.tMnantS 

computarwortd.com. 


Think  about  it.  That’s  a 
fairly  awkward,  uncom¬ 
fortable  position  to  be  in. 

You  don’t  have  to  be  a 
religious  or  moral  zealot 
to  recognize  that  there’s 
something  to  be  said  for 
that  admonishment 
about  casting  the  first 
stone.  I’ll  be  honest  and 
say  that  Barry  Bonds, 
the  baseball  player, 
touched  a  nerve  at  that 
press  conference  last 
month  when  he  lashed  out  at  jour¬ 
nalists  who  were  hounding  him 
about  his  use  of  steroids. 

“All  of  you  guys  have  lied,”  he  told 
them.  “Should  you  have  an  asterisk 
behind  your  name?” 

It  was  a  legitimate  question.  The 
fact  is,  there’s  not  a  journalist  (or  an 
IT  professional  or  anyone  else)  who 
hasn’t  done  something  that  in  hind¬ 
sight  he  wishes  he  hadn’t  done  and 


that  he’d  be  very  happy  not  to  have 
publicized.  That’s  just  a  simple  fact 
of  life.  Yet  we  publicize  other  peo¬ 
ple’s  wrongdoings  all  the  time. 

As  I  write  this,  there’s  a  story  just 
hours  old  on  our  Web  site  about  the 
transgressions  of  Bernie  Ebbers,  the 
former  WorldCom  CEO  who  was 
found  guilty  of  fraud  and  conspiracy 
[QuickLink  a5590].  And  another  one 
about  Joseph  Nacchio,  the  former 
Qwest  Communications  CEO  who, 
according  to  the  SEC,  engaged  in 
fraud  as  well  [QuickLink  53207]. 
Those  are  important  developments 
that  you  need  to  be  aware  of.  But  I’ll 
have  to  leave  it  to  the  journalism 
ethics  professors  to  explain  why  it’s 
not  hypocritical  for  us  to  run  those 
stories  while  not  wanting  our  own 
goof-ups  to  be  publicized.  I’m  not 
sure  I  have  a  good  answer. 

Which  is  not  to  say  I’m  not  per¬ 
fectly  happy  to  publicize  the  offense 
of  charging  $269  a  night  for  a  walk- 
in  closet  with  a  bed,  a  TV  and  a  desk 
with  a  dim  light.  And  who  ever  heard 
of  naming  a  hotel  “W”?  Now  that’s  a 
transgression.  ©  53216 
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VIRGINIA  ROBBINS 

Changing  IT’s 
Rep  Through 
Small  Talk 

I  JUST  SAW  another  one  of 
those  commercials  that 

make  fun  of  the  unprofes¬ 
sional  IT  worker.  I’m  sure  you’ve  seen 
this  one:  The  Suit  comes  into  the 
Techie’s  work  area  and  asks  if  some¬ 
thing  can  be  done  by  Tuesday,  to 
which  the  Techie  responds  unprofes- 
sionally.  The  Suit  offers  to  negotiate 
for  the  Techie,  and  the  Techie  snaps  to 
and  says  he’ll  call  a  vendor,  the  com¬ 
mercial’s  sponsor.  The  Suit  is  left  con¬ 
fused,  the  Techie  gloating,  and  the 
Sponsor  looking  great. 

And  IT  workers  everywhere  are  left 
with  an  image  problem. 

This  month,  we  also  heard  from 
Gartner  that  CIOs  are  the  lowest  of 
the  C-level  executives,  with  a  record 
number  of  CIOs  reporting  to  non- 
CEO-level  managers. 

Meanwhile,  our  trade 
magazines  are  filled 
with  IT  managers 
bemoaning  how  mis¬ 
erable  it  is  to  be  in 
the  profession.  If  you 
get  a  chance  to  read 
magazines  aimed  at 
other  C-level  posi¬ 
tions,  you’ll  find  that 
they  present  a  much 
more  positive  out¬ 
look  to  their  readers. 

What  is  it  that  makes 
the  difference?  I 
know  that  most  of  us  act  like  profes¬ 
sionals,  and  for  the  most  part  we  like 
our  jobs.  But  like  trial  lawyers,  we  have 
a  stereotypical  reputation  that  is  dam¬ 
aging  to  our  profession. 

I  believe  this  is  the  best  time  to  be 
in  IT.  Technology  is  everywhere,  and 
there  are  more  opportunities  than  ever 
before.  The  challenge  is  finding  them. 

I  came  across  a  great  article  by 
Susan  RoAne  titled  “How  to  Create 
Your  Own  Luck:  The  ‘You  Never 
Know’  Approach  for  Turning  Seren¬ 
dipity  into  Success.”  RoAne  is  a  speak¬ 
er  whose  specialty  is  motivating  peo¬ 
ple  to  mingle.  Don’t  laugh;  I’ll  explain 
why  this  is  an  important  skill.  She  has 
spoken  at  Oracle,  Autodesk  and  other 
technical  and  engineering  companies. 

She  lists  10  behaviors  for  creating 
your  own  luck;  here  are  a  few  that 
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I  have  found  the  most  challenging. 

The  first  and  second  behaviors  are 
to  be  open  and  positive  and  to  observe 
people  who  are  open,  imitating  their 
behaviors,  including  both  what  they 
say  and  don’t  say.  Open  doesn’t  mean 
blabbing  company  secrets.  It  means 
using  positive  storytelling  as  a  way  to 
motivate,  connect  and  share  experi¬ 
ences  with  staff,  peers  and  colleagues. 
When  I  first  tried  this,  I  found  it  ex¬ 
tremely  difficult.  It  was  so  much  easier 
to  be  ironic. 

Another  behavior  is  to  make  small 
talk.  RoAne  notes  that  through  small 
talk,  we  find  out  about  areas  of  com¬ 
monality,  which  form  connections  that 
in  turn  form  business  relationships. 
When  RoAne  and  I  spoke  last  week, 
she  shared  a  story  about  two  Boeing 
engineers  who  worked  together  for 
nine  years  before  finding  out  that  they 
lived  in  the  same  neighborhood.  Too 
often,  we  concentrate  on  the  work  at 
hand  and  miss  opportunities  to  learn 
about  one  another.  I  wonder  how 
much  more  we  could  communicate  if 
we  used  those  few  minutes  before  or 
after  a  meeting  to  find  out  how  the 
business  owner’s  weekend  was  or 
whether  he  has  children. 

I’ll  leave  you  to  read  the  rest  of 
RoAne’s  article  at  www.susanroane. 
com.  Even  if  you  don’t  agree  with  all  of 
her  recommendations,  try  one  or  two 
that  you  don’t  normally  do  and  see 
whether  it  makes  a  difference.  I’m  not 
sure  this  is  the  answer,  but  I  do  know 
that  we  need  to  improve  our  reputa¬ 
tion  and  create  our  own  opportunities. 
©  53147 
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GARTENBERG 

In  Mobile 
Computing, 
Size  Matters 

CONVENTIONAL  wis¬ 
dom  about  mobile 
computing  says  that 

end  users  are  willing  to  carry  only  one 
device.  This  belief  has  led  vendors  to 
race  to  create  the  perfect  single  prod¬ 
uct.  The  problem  with  converged  de¬ 
vices,  though,  is  that  they  require  com¬ 
promises  on  functionality,  and  in  fact 
the  single-device  notion  is  more  myth 
than  reality. 

Based  on  a  recent  JupiterResearch 
consumer  survey,  we  know  that  while 
users  prefer  to  carry  only  one  device 


when  that  is  possible,  they 
are  actually  willing  to  carry 
up  to  three,  based  on  con¬ 
textual  circumstance.  But 
there’s  more  to  the  story 
than  that;  size  is  critical, 
and  that’s  why  it’s  impor¬ 
tant  to  break  down  the  form 
factors  for  mobile  devices 
into  four  categories.  If 
you’re  making  decisions 
about  purchasing  mobile 
technology  for  end  users, 
you  must  keep  these  four 
categories  in  mind. 

■  Devices  that  require  an  ad¬ 
ditional  case.  Any  device  that 
requires  its  own  case,  like  a 
projector  or  large  laptop 
computer,  means  end  users 
must  carry  a  significantly 
larger  load,  in  terms  of  both 
bulk  and  weight.  Because 
users  must  make  a  concerted  effort  to 
carry  such  a  device,  they  will  do  so 
only  when  they  need  the  dedicated 
functionality. 

■  Devices  that  are  cased  with  other  de¬ 
vices.  These  are  things  that  fit  into  a 
case  that  the  user  is  already  taking 
along.  If  a  user  is  already  carrying  a 
bag  that  holds  a  laptop,  taking  several 


smaller  items  (such  as  a 
BlackBerry  and  cell  phone) 
in  the  same  bag  requires 
little  extra  effort. 

■  Pocketable  devices.  These 
devices  are  carried  inde¬ 
pendently,  on  the  person. 
There’s  a  stark  line  of  de¬ 
marcation  between  this 
category  and  the  two  al¬ 
ready  discussed.  A  lot  of 
things  can  go  into  a  laptop 
case,  but  there  are  only  so 
many  items  that  can  be  car¬ 
ried  on  the  person.  As  a 
rule,  pocketable  devices  are 
worn  on  the  person  and  are 
noticeable.  As  each  device 
is  added  to  the  mix,  bulk 
and  weight  grow  signifi¬ 
cantly.  As  a  result,  our  re¬ 
search  tells  us  that  most 
users  will  not  carry  more 
than  three  devices  on  their  person,  and 
two  devices  is  the  sweet  spot. 

■  Invisible  devices.  This  is  the  most  in¬ 
teresting  category.  Users  do  not  hesi¬ 
tate  to  carry  devices  that  they  perceive 
as  invisible.  Watches,  wallets  and  keys 
all  fall  into  this  category.  Increasingly, 
cell  phones  that  are  small  and  light¬ 
weight  are  being  perceived  by  those 


who  carry  them  as  invisible  as  well. 

What  all  this  means  is  that  vendors 
are  racing  in  the  wrong  direction  to 
meet  a  user  need  that  isn’t  there.  For 
example,  reducing  functionality  in  the 
interest  of  making  a  device  smaller  is 
foolish  if  the  device  isn’t  made  pock¬ 
etable.  Likewise,  increasing  functional¬ 
ity  while  losing  the  ability  to  be  carried 
ubiquitously  can  be  wrong  as  well.  IT 
departments  need  to  be  careful  when 
selecting  devices  for  end  users,  and 
form  and  function  need  to  go  hand  in 
hand.  At  the  same  time,  users  shouldn’t 
try  to  sacrifice  functionality  for  the 
sake  of  device  size.  Trying  to  replace 
your  laptop  with  a  BlackBerry  or  Treo 
might  be  feasible  on  a  day  trip,  but  if 
you’re  going  for  a  week  and  need  to 
update  your  five-year  sales  projec¬ 
tions,  take  a  real  computer  with  you. 

How  many  devices  do  you  carry 
on  your  person  and  in  your  bag  when 
you’re  on  the  road?  In  a  future  column. 
I’ll  publish  an  updated  list  of  the  most 
popular  things  people  take  with  them 
and  why.  ©  53070 
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Looking  for  the  IT  Leaders  of  Tomorrow 


lash.  Safeguards  such  as  the  ability 
for  patients  to  review  and  amend 
their  records  will  have  to  be  bal¬ 
anced  against  the  ability  of  pro¬ 
viders  to  honestly  and  accurately  re¬ 
port  not  only  objective  test  results, 
but  also  subjective  observations  that 
aren’t  always  available  to  patients 
today.  Another  issue  that  will  have 
to  be  addressed  sooner  rather  than 
later  is  the  ability  to  easily  strip  iden¬ 
tification  data  from  records  to  en¬ 
able  medical  researchers  to  benefit 
as  well. 

Dave  Kristof 
San  Antonio 

C0MPUTERW0RLD  welcomes 
comments  from  its  readers.  Letters 
will  be  edited  for  brevity  and  clarity. 
They  should  be  addressed  to 
Jamie  Eckle,  letters  editor,  Com- 
puterworld,  P0  Box  9171, 1  Speen 
Street.  Framingham.  Mass.  01701. 
Fax:(508)879-4843.  E-mail: 
letters@computerworld.com. 

Include  an  address  and  phone 
number  for  immediate  verification. 


I  AM  A  RECENT  MBA  graduate 
from  the  University  of  Michigan 
Ross  School  of  Business.  I  often 
saw  top  firms  visit  campus  to  recruit 
students  for  leadership  rotational 
programs  in  areas  such  as  finance, 
marketing  and  strategy.  Flowever, 
only  a  handful  of  firms  came  to  re¬ 
cruit  MBA  students  for  positions  in 
IT.  When  I  last  looked,  there  were  at 
least  245  leadership  rotational  pro¬ 
grams  for  graduating  MBA  students 
among  large  U.S.  companies,  but 
only  10  of  these  programs  were  IT- 
focused. 

In  his  “Masters  of  Frustration” 
editorial  [QuickLink  52643],  Don 
Tennant  mentioned  that  he  often 
hears  IT  executives  complain  that 
universities  aren’t  graduating 
enough  students  with  both  IT  and 
management  skills.  When  I  talk  to 
faculty  who  teach  technology  cours¬ 
es  at  the  B-school,  I  often  hear  them 
complain  that  companies  don’t  val¬ 
ue  technology  skills  in  graduating 
MBA  students  and  hence  there  isn’t 
sufficient  interest  in  technology 
courses.  Today,  IT  is  the  central  ner¬ 


vous  system  of  many  organizations. 
As  organizations  understand  this 
and  understand  the  value  of  having 
MBAs  in  the  IT  department,  we  will 
move  closer  to  the  day  when  CEOs 
come  from  the  IT  function. 


I  IMAGINE  YOU  have  heard  of 
Northface  University  in  Utah.  Its 
business  is  producing  graduates  tai¬ 
lored  to  the  needs  of  large  IT  ven¬ 
dors  such  as  IBM  and  Oracle.  It  of¬ 
fers  a  program  that  combines  busi¬ 
ness  and  IT  instruction  from  the  stu¬ 
dents'  freshman  year  on.  I  believe 
that  this  model  is  more  likely  to  pro¬ 
duce  what  the  industry  is  looking  for 
than  changes  made  by  traditional 
MBA  programs. 

Scott  Peterson 
Sandy,  Utah 

ON  TENNANT  has  sided 
completely  with  industry  in  be¬ 
lieving  that  educators  are  to  blame 
for  the  lack  of  IT  managers.  This  is 
bull.  Time  and  again,  industry  fails  to 


implement  a  method  whereby 
skilled  technologists  can  effectively 
move  into  management  through  ed¬ 
ucational  initiatives.  Yes,  quite  a  few 
of  the  “poster  children"  companies 
have  effective  programs,  but  most 
don’t.  I  am  now  in  an  industry  that 
values  knowledge:  education. 

Brian  Nelson 
Systems  administrator, 
Richardson,  Texas 


Patients’  Rights 

KYM  GILHOOLY’S  article  re¬ 
garding  electronic  health 
records  [”Rx  for  Better  Health 
Care,"  QuickLink  51989]  doesn’t 
make  much  mention  of  what  I  be¬ 
lieve  is  the  largest  stumbling  block 
of  all:  medical  data  ownership.  Pa¬ 
tients  are  able  to  access  “their" 
records  only  at  the  approval  of  the 
provider.  The  benefits  to  be  gained 
from  either  full  interoperability  or 
actual  records  consolidation  are  im 
mense,  but  as  the  public  becomes 
aware  of  such  issues  as  the  effect 
their  comprehensive  record  can 
have  on  their  insurance  or  their  fu¬ 
ture  care,  there  will  likely  be  back- 


OFor  more  letters  on  these  and 
other  topics,  go  to 

www.computerworid.com/letters 
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Security 
In  Business 
Context 


Security  guru  Bruce 

Schneier,  in  his  excellent 
book  Beyond  Fear  (Coperni¬ 
cus  Books,  2003),  notes  that 
U.S.  cybersecurity  officials 
have  tried  to  get  American  CEOs  who 
are  in  charge  of  critical  facilities 
(such  as  nuclear  power  plants)  to 
spend  big  bucks  on  security,  for  the 
good  of  national  security.  The  appeal 
to  patriotism  hasn’t  worked.  “If  the 
CEO  of  a  major  company  announced 
that  he  was  going  to  reduce  corporate 
earnings  by  25%  to  improve  security 
for  the  good  of  the  nation,  he  would 
almost  certainly  be  fired,”  Scheneier 
says.  And  rightly  so.  “Sure,  the  corpo¬ 
ration  has  to  be  concerned  about  na¬ 
tional  security,”  Schneier  writes,  “but 
only  to  the  point  where  its  cost  is  not 
substantial.” 

The  point  is  that  security  is  a  bal¬ 
ancing  act.  We  all  know  there  can 
never  be  perfect  security,  and  it 
would  be  unaffordable  if  it  were 
possible. 

“We  can  make  our  systems  com¬ 
pletely  secure  only  at  the  expense  of 
infinite  cost  or  zero  utility,”  says  an¬ 
other  security  veteran,  consultant 
William  Hugh  Murray.  “They  will  be 
completely  secure  if  we  unplug  them. 
They  will  be  completely  secure  if 
they  have  no  users  or  uses.  They  will 
be  more  secure  if  we  do  not  connect 


them  to  a  network.” 

Of  course,  the  opposite  is  true.  We 
have  more  users  —  including  outside 
trading  partners  in  the  supply  chain 
—  and  more  connections  to  the  wide- 
open  Internet  and  wireless  networks. 

And  the  problem  isn’t  imaginary  or 
hype.  In  a  recent  survey  of  163  large 
U.S.  organizations  by  Ponemon  Insti¬ 
tute  in  Tuscon,  Ariz.,  122  (or  75%)  re¬ 
ported  a  data  security  breach  in  the 
past  12  months.  In  many  cases,  the  re¬ 
sult  was  a  leak  of  customer  informa¬ 
tion,  employee  information  or  confi¬ 
dential  business  information. 

Tops  on  the  Agenda 

Fortunately,  security  has  rocketed  to 
the  top  of  the  corporate  IT  agenda. 


Pain  Points 

Which  technology  areas  are  the 
greatest  sources  of  pain  in  your 
organization  today? 

1.  Security 

2  Storage 

Software  license  management 
Remote  access 

BASE:  1 0  4  C  =  L  E  V  E  L  E  Jt  E  G  U  TfVES  AT 
U.S  BUSINESSES  WITH  MORE  THAN 
100  EMPLOYEES 
SOU  R C E :  S AG  E  R  E  S  E  ARCH  I N  C ; . 
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Almost  every  survey  shows  that  it  is 
No.  1  on  the  list  of  IT  concerns  and 
high-priority  spending  plans.  In  part, 
this  is  because  of  virus  outbreaks 
such  as  Blaster  and  Slammer  in  2003, 
the  worst  year  of  malicious  code  out¬ 
breaks  in  the  20-year  history  of  com¬ 
puter  viruses. 

The  greatest  barrier  to  effective 
security  is  an  inadequate  budget, 
according  to  a  study  by  Pricewater- 
houseCoopers  and  CIO  magazine. 
Prior  to  the  2003  virus  outbreaks, 
security  budgets  had  been  flat,  but 
many  IT  organizations  report  more 
security  spending  since  then.  Inter¬ 
estingly,  those  organizations  that  ex¬ 
hibit  the  best  practices  in  IT  security 
management  tend  to  allocate  a  bigger 
portion  of  their  budget  to  information 
security  (14%,  compared  to  11%  for 
other  respondents),  the  Pricewater- 
houseCoopers  study  finds. 

Regulatory  compliance  is  causing  a 
lot  of  security  activity,  too.  Of  229  U.S 
organizations  surveyed  by  Enterprise 
Strategy  Group  Inc.,  73%  say  regulato¬ 
ry  compliance  is  behind  the  increase 
in  security  investment.  (But  only  32% 
of  the  companies  are  very  confident 
they  would  pass  the  IT  security  por¬ 
tion  of  an  audit.) 

“Governance  and  compliance  is¬ 
sues  are  still  driving  the  need  for  in¬ 
formation  security,  with  some  of  the 
budget  coming  from  compliance  ini¬ 
tiatives  related  to  Sarbanes-Oxley 
[Act  compliance],”  says  Joe  Duffy,  a 
partner  at  PricewaterhouseCoopers. 

The  “best  practice”  organizations 
also  adopt  a  long-term  view  of  securi¬ 
ty  investment,  versus  a  one-year-at-a- 
time  planning  cycle,  according  to  the 
PricewaterhouseCoopers  and  CIO 
study.  Moreover,  best  practice  compa¬ 
nies  were  more  apt  to  engage  the 
business  units  in  decision-making 
about  security. 

The  Security  Imperative 

So  what’s  the  “security  imperative”  in 
the  title  of  this  report?  We  have  to  try 
hard  to  protect  the  company’s  infor- ' 
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mation  assets,  but  without  bankrupt¬ 
ing  the  company  or  making  its  sys¬ 
tems  unusable. 

In  other  words,  the  goal  is  security 
in  business  context.  As  security  ex¬ 
pert  Donn  B.  Parker  put  it  in  his  book 
Fighting  Computer  Crime  (John  Wiley 
&  Sons,  1998):  “Business  has  no  pa¬ 
tience  for  excessive,  impractical  secu¬ 
rity  advice.” 


That’s  why  this  report  is  full  of 
peer-tested  strategies  and  tips  for  im¬ 
proving  security  in  business.  In  the 
first  section,  it  covers  the  following 
topics: 

■  How  to  outsource  security  to 
managed  security  services  providers 
—  and  what  questions  to  ask  before 
you  do. 

■  How  to  implement  an  identity 


management  program. 

■  How  to  protect  your  corporate 
systems  from  remote-access  points 
such  as  telecommuters. 

■  How  to  thwart  insider  abuse  and 
plug  the  security  gaps  caused  by  in¬ 
stant  messaging. 

Perhaps  most  important  is  the  sub¬ 
sequent  section  on  business  issues. 
You’ll  learn  how  to  provide  —  and 
maybe  even  strengthen  —  IT  security 
during  a  merger  or  acquisition.  Plus, 
former  CIO  Doug  Lewis  provides  a 
brilliant  (and  politically  savvy)  way 
to  sell  security  to  the  chief  financial 
officer  and  get  the  budget  you  need 
for  a  prudent  level  of  security. 

Prudent  is  the  key  word  there.  It 
implies  trade-offs  —  the  trade-off  be¬ 
tween  absolute  security  and  afford¬ 
ability.  “There  is  no  single  correct 
level  of  security,”  Bruce  Schneier  says 
in  Beyond  Fear.  “How  much  security 
you  have  depends  on  what  you’re 
willing  to  give  up  in  order  to  get  it.” 

In  the  future,  Parker  says,  “The  mo¬ 
tives  and  desire  for  prudent  security 
must  come  from  the  business  man- 


“The  Security  Imperative,”  offers  dozens  of  tips  and 
strategies  for  protecting  your  business  from  internal  and 
external  threats.  IT  managers  tell  you  how  to  (safely)  out¬ 
source  security  functions,  implement  identity  manage¬ 
ment,  plug  instant-messaging  gaps  and  even  get  a  bigger 
security  budget  from  the  CFO!  Plus,  you’ll  get  tactics  for 
securing  telecommuters,  who  could  be  your  company’s 
weakest  security  link! 


FREE  DOWNLOAD:  “The  Security  Imperative” 
For  a  limited  time,  get  this  full  report 
(a  $195  value)  for  free,  compliments  of  Cisco. 
www.computerworld.com/securitybriefing 
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MAIL 

Goes  Corporate 


Improvements  in  video  e-mail  technology 
have  translated  into  its  adoption  by  large 
companies.  BY  KATHY  CHIN  LEONG 


Pg  ■■fJOE  bianco  has  his  way. 
a  movie  star  Russell  Crowe 

II  will  soon  firing  off  video 

B  H  e-mails  to  his  fans  thanking 
them  for  their  support.  Perhaps  the 
actor/singer  will  embed  clips  of  his  lat¬ 
est  recording  session  along  with  a  per¬ 
sonal  note  of  appreciation.  It’s  possible. 

Bianco,  CEO  of  New  York-based 
Sheridan  Square  Entertainment,  is  so 
convinced  that  video  e-mail  technol¬ 
ogy  is  the  wave  of  the  future,  he  has 
inked  a  contract  with  provider  First 
Stream  in  Irvine,  Calif.,  to  outfit  his  100 
employees  with  the  service.  And  Sheri¬ 
dan  Square,  which  owns  Crowe’s  label, 
Artemis  Records,  will  be  offering  its 
musicians  the  opportunity  to  send 
video  e-mails  to  admirers. 

“There  are  two  reasons  why  we  are 
very  excited  about  video  e-mail,”  says 
Bianco.  “First,  we  will  be  using  this  for 
corporate  interoffice  communica¬ 
tions.”  With  offices  in  four  U.S.  cities, 
using  video  e-mail  will  cut  down  flying 
time  substantially,  he  says.  “Second, 
our  artists  can  maintain  connec¬ 
tions  with  their  fans.  I  antici¬ 
pate  that  a  heavy  metal  artist 
will  send  a  message  that  will 
look  very  different  than  a 
folk  singer’s.” 

Once  dismissed  as  a  gim¬ 
mick,  video  e-mail  is  beginning 
to  make  inroads  into  business 
communication.  As  the  technology 
has  been  refined  and  costs  have  been 
reduced,  name-brand  corporations  have 
begun  to  give  video  e-mail  a  try. 

EARLY  DAYS 

In  the  mid-1990s  —  the  early  days  of 
video  e-mail  —  the  technology  was 
interesting  but  rough  around  the 
edges.  PCs  had  to  be  beefed  up  with 
high-end  graphics  cards,  megabytes 
of  memory  and  special  camera  gear. 
High-speed  transmission  lines  were 
scarce.  Not  only  was  it  expensive,  but 
it  also  was  kludgy. 

“Back  then,  video  over  Internet 
looked  more  like  a  series  of  fast  pho¬ 
tographs,”  says  Paul  Braun,  president 


of  New  York-based  VIDISolutions. 
“Compression  was  not  so  good.  Big, 
bulky  files  came  very,  very  slowly.” 

Faces  looked  pasty;  voices  failed  to 
sync  with  moving  lips.  Full-motion 
video  via  the  Web  reminded  users  of  a 
bad  Japanese  movie  with  poor  dub¬ 
bing.  But  video  streaming  arrived  in 
the  late  1990s,  permitting  users  to  view 
footage  without  hogging  disk  space.  In 
video  streaming,  full-motion  images 
flow  through  the  recipient’s  computer, 
but  the  video  data  resides  on  the  pro¬ 
vider’s  server,  not  the  user’s. 

FINDING  A  HOME 

Video  e-mail  is  no  longer  an  orphan 
technology.  Organizations  such  as 
the  Miami  Dolphins  football  team, 
DaimlerChrysler  AG  and  Eli  Lilly 
Corp.  are  relying  on  video  e-mails  for 
ad  campaigns,  internal  announcements 
and  market  surveys.  These  businesses 
are  also  using  the  technology  for  sales 
training,  public  relations,  customer  up¬ 
dates  and  product  releases. 

Ease  of  use  is  key  to  the  growing 
market  for  video  e-mail.  First  Stream 
recently  announced  First  Stream  Mail 
4.0,  which  can  deliver  messages  via 
any  player  platform,  be  it  Java,  Quick¬ 
Time,  Flash  or  Microsoft  Media  Player. 
The  viewing  window  in  the  new  re¬ 
lease  has  been  enlarged  to  3-by-2  in. 
and  can  be  expanded  to  a  full  screen 
with  a  single  click. 

With  First  Stream,  video  message 
senders  attach  a  camera  such  as  Logi¬ 
tech’s  QuickCam  for  Notebooks  Pro  or 
link  an  off-the-shelf  camcorder  to  the 
PC.  Next,  they  activate  the  video  e-mail 
service  and  hit  the  Record  button  on 
the  screen.  After  recording,  they  can 
embellish  the  message  with  text  and 
graphics.  Most  services  operate  in  a 
similar  fashion,  each  with  variations  in 
multimedia  platform,  maximum  video 
length  and  window  size.  Users  gener¬ 
ally  pay  an  installation  fee  and  are 
charged  a  monthly  or  annual  subscrip¬ 
tion  fee,  which  can  range  from  $9.95  to 
$100  per  seat  per  month. 

Some  companies  are  cutting  costs 
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with  video  e-mail.  Focus  group  Firm 
BIGresearch  LLC  uses  video  e-mail  and 
PC-to-PC  videoconferencing  technolo¬ 
gy  to  gather  consumer  data.  Instead  of 
renting  rooms  to  host  focus  groups,  for 
the  past  two  years  the  Worthington, 
Ohio-based  firm  has  been  airing  live 
videoconferences  to  targeted  individu¬ 
als,  who  share  their  opinions  remotely 
via  PC.  For  test  panels  of  2,000  or 
more,  BIGresearch  uses  technology 
from  SOS  Video  Communications  in 
Columbus,  Ohio.  Panel  participants  log 
onto  their  video  e-mail,  view  the  clip  of 
the  product  and  key  in  responses. 

Phil  Rist,  vice  president  of  strategic 
initiatives  at  BIGresearch,  notes  that 
savings  are  vast  for  his  clients,  which 
include  Victoria’s  Secret,  S.C.  Johnson 
&  Son  Inc.  and  Wal-Mart  Stores  Inc. 

The  technology  has  also  proved 
powerful  in  business-to-business  appli¬ 
cations,  says  Rist.  After  it  conducts  a 
survey,  BIGresearch  tapes  an  actor 
reading  a  summary  of  the  results.  The 
footage  is  then  condensed  into  a  video 
e-mail  that’s  sent  to  the  client. 

“Some  people  are  not  into  reading 
charts  and  numbers,”  says  Rist.  “A 
video  presentation  makes  it  so  much 
easier.”  A  soap  manufacturer,  for  ex¬ 
ample,  can  forward  that  same  video 
e-mail  to  a  department  store  buyer 
so  he  also  can  understand  consumer 
preferences,  he  says. 

Meanwhile,  acceptance  is  growing 
on  the  receiving  end  of  the  technology. 
According  to  a  new  study  conducted  by 
Osterman  Research  Inc.,  more  than 
50%  of  corporate  users  surveyed  said 
they  would  view  a  video  e-mail  if  it  was 
sent  by  someone  they  knew.  Over  38% 
said  they  would  view  video  e-mails 
from  people  they  do  business  with. 

“Firms  using  video  mail  as  a  pull 
versus  a  push  technology  will  gain 
user  confidence,”  says  Michael  Oster¬ 
man,  president  of  Osterman  Research 
in  Black  Diamond,  Wash.  For  instance, 
he  says,  if  a  customer  has  a  question 
about  a  product  and  e-mails  the  ven¬ 
dor,  that  vendor  can  provide  an  en¬ 
hanced  service  by  responding  with  a 
personalized  video  greeting. 

That  is  exactly  what  Chrysler  Group 
sales  representative  Chris  Hanson  did 
when  he  responded  to  a  woman  inter¬ 
ested  in  a  Chrysler  300  vehicle.  Han¬ 
son,  based  in  Hibbing,  Minnesota, 
replied  to  her  questions  via  video 
e-mail  and  told  her  that  the  car  she 
wanted  was  in  the  showroom.  That 
same  day,  she  drove  three  hours  to 
purchase  the  car. 

“Adding  a  face  to  the  e-mail  adds  a 
new  dimension  to  your  selling,”  said 
Hanson.  After  the  transaction,  he 


A  MOVING  PLEA  FOR  HELP 


A  MOTHER  who  has  just  lost  her 
son  in  the  recent  tsunami  in  Sri 
Lanka  wails  into  the  lenses  of 
rolling  cameras.  In  another 
scene,  in  hushed  tones,  a  little 
girl  explains,  “Mother  went  to  the 
shore  and  didn’t  come  back.” 

These  images  from  relief  or¬ 
ganization  World  Vision  Interna¬ 
tional  in  Federal  Way,  Wash., 
were  part  of  a  minimovie  shot  in 
Southeast  Asia  within  days  of 
the  December  tsunami  disaster 
there  and  sent  as  a  video  e-mail 
to  a  half-million  subscribers  and 
donors  thanking  them  for  their 
support. 

Called  the  Asia  Tsunami  Video 
Update,  the  three-minute  round¬ 
up  of  the  organization’s  rescue 
and  support  operations  in  Sri 
Lanka,  India  and  Thailand 
showed  original  footage  of  the 
waves,  the  victims  and  the  after- 
math  of  the  disaster. 

The  day  the  tsunami  hit, 
many  of  the  3,700  relief  workers 


World  Vision 

( ( •  on  your  tsunami  relief  gift  to  World  Vision 


Your  recent  gift  to  World  Vision 
tsunami  relief  is  helping  provide 
vital  care  for  orphaned,  homeless, 
and  vulnerable  children! 


already  in  the  affected  regions 
mobilized  into  teams  to  offer 
shelter,  food  and  clothing.  Some 
were  already  armed  with  video 
cameras  and  filmed  for  hours. 
One  cameraman  was  sent  from 
the  organization’s  headquarters 
to  help  with  the  shooting. 

According  to  Brad  Cooper, 
World  Vision’s  division  director 
of  Internet  development,  once 
the  footage  was  transmitted 
electronically,  video  editors  and 


|  producers  on  the  creative  con- 
|  tent  team  worked  around  the 
;  clock  to  select  precisely  the  right 
j  clips  that  would  communicate 
I  what  the  workers  were  doing. 

|  Working  with  New  York-based 
«  e-mail  vendor  Bigfoot  Interactive 
I  Inc.  and  Irvine,  Calif.-based  Vital- 
!  Stream  Inc.  for  streaming  video 
S  technology,  the  organization 
j  transmitted  a  series  of  messages 
|  to  donors  within  three  days  of 
I  the  disaster. 


The  clips  were  uploaded  into 
servers,  digitized  and  then  trans¬ 
mitted,  says  Cooper.  Using 
Macromedia  Flash  and  Microsoft 
Windows  Media  formats,  home 
users  saw  what  relief  workers 
had  encountered. 

Designed  as  a  thank-you  let¬ 
ter,  the  video  was  so  effective 
that  recipients  continued  to  give 
donations  online,  says  Cooper. 

To  date,  contributions  to  World 
Vision  have  topped  $250  million 
worldwide. 

“The  feedback  we  got  from 
this  was  great,”  Cooper  says. 
“Video  reinforced  what  our  peo¬ 
ple  were  doing  in  the  field."  Ac¬ 
cording  to  Cooper,  five  times 
as  many  people  viewed  the 
video  e-mail  than  the  messages 
that  had  only  text  content. 

“There  was  just  no  better  way 
to  understand  the  impact  of  the 
devastation  than  with  video," 
says  Cooper. 

-  Kathy  Chin  Leong 


zipped  off  a  follow-up  video  message 
thanking  her  for  her  business.  “Cus¬ 
tomers  can  get  the  same  information 
from  other  dealerships,  but  if  you  have 
a  decent  personality  and  can  portray 
that  in  your  e-mail,  the  customer  will 
connect  with  you,”  he  says. 

EARLY  ADOPTERS 

Some  executives  deem  video  e-mail  a 
timesaver  compared  with  hunting  and 
pecking  at  the  keyboard.  “I’m  the  slow¬ 
est  typist  in  the  world,”  says  Sheridan 
Square’s  Bianco.  “My  secretary  used  to 
type  out  my  long  e-mails,  but  now  I 
create  a  video  e-mail  and  communicat¬ 
ing  is  so  much  faster.” 

But  many  of  today’s  adopters  say  the 
technology  proves  its  worth  in  attract¬ 
ing  business  while  maintaining  core 
relationships.  Last  fall,  Authoria  Inc., 
a  Waltham,  Mass.-based  human  re¬ 
sources  software  company,  issued 
video  e-mail  created  by  Productorials 
Corp.  in  Boston  to  investors,  analysts 
and  reporters  to  announce  that  it  was 
acquiring  a  key  competitor. 

Todd  Chambers,  Authoria’s  vice 
president  of  marketing,  said  the  feed¬ 
back  was  overwhelming.  “It  not  only 
delivered  the  message  in  a  unique  way, 
it  set  a  tone  for  our  company,”  he  says. 


“We  wanted  to  show  how  forward- 
thinking  we  are  in  both  what  we  do 
and  how  we  communicate  to  the  out¬ 
side  world.” 

Chambers  notes  that  after  the  re¬ 
lease,  bankers  who  were  forwarded  the 
video  e-mail  called  to  find  out  how 
they  could  invest  in  the  company. 
“There  is  no  question  we  will  be  doing 
more  campaigns  like  this,”  he  says. 

Since  video  e-mail  is  a  relatively  new 
phenomenon,  it  is  a  strategic  public- 
relations  weapon  that  can  generate 
buzz.  When  VIDISolutions  partnered 
with  the  American  Red  Cross,  America 
Online  Inc.  and  Hewlett-Packard  Co.  to 
launch  Project  Video  Connect  in  2003, 
a  free  program  that  allows  military 
families  to  send  video  e-mails  to 
armed  services  personnel  in  the  Mid¬ 
dle  East,  more  than  70  media  outlets 
covered  the  news. 

Sometime  this  year,  video  e-mail  will 
be  viewable  on  cell  phones.  According 
to  VIDISolutions’  Braun,  a  user  of  the 
company’s  VIDITalk  technology  will 
soon  be  able  to  transmit  video  e-mail 
to  cell  phones  bundled  with  Windows 
Media  Player.  Likewise,  companies 
transmitting  messages  with  Destiny 
Media  Technologies  Inc.’s  Clipstream 
technology  will  be  able  to  send  video 


e-mail  to  Java-supported  cell  phones. 

Soon  users  will  be  able  to  talk  back 
to  the  sender  of  their  video  e-mails, 
according  to  Jarrod  Erwin,  vice  presi¬ 
dent  of  strategic  development  at 
VoiceTech  Communications  Corp.  in 
Houston.  His  company’s  voiceNow 
video  e-mail  service  will  be  equipped 
with  a  new  CRM  feature:  Recipients 
with  a  microphone-equipped  PC 
will  be  able  to  automatically  dial  and 
talk  back  to  the  sender  with  a  single 
mouse  click. 

What  will  it  take  for  the  video  e-mail 
market  to  take  off?  There  are  still  ob¬ 
stacles  to  overcome.  No  vendor’s  ser¬ 
vice  is  perfect.  Video-streamed  images 
don’t  always  work  over  dial-up  lines, 
and  even  businesses  using  DSL  may 
find  that  video  clips  sputter. 

But  Braun  asserts  that  the  accep¬ 
tance  of  broadband  and  the  prolifera¬ 
tion  of  Web  cameras  is  setting  the 
stage.  “Companies  will  soon  see  that 
video  mail  will  become  just  as  impor¬ 
tant  as  text  e-mail  and  voice  mail,”  he 
says.  “There  will  be  room  for  all  three.” 
O 52933 


Leong  is  a  freelance  writer  in  Los  Ange¬ 
les.  You  can  reach  her  at  kchinleong@ 
sbcglobal.net. 
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MetricStream  Adds 
Sarb-Ox  Support 

a  MetricStream  Inc.  has  extend¬ 
ed  functionality  to  its  software 
compliance  suite  with  support  for 
Section  404  of  the  Sarbanes- 
Oxley  Act.  The  new  features  are 
intended  to  help  companies 
demonstrate  the  internal  controls 
they  have  in  place  for  financial  re¬ 
porting,  according  to  the  Red¬ 
wood  Shores,  Calif.-based  com¬ 
pany.  Among  the  key  modules  in 
the  suite  is  MetricStream  Moni¬ 
tor,  a  tool  that  provides  visibility 
into  ongoing  compliance  efforts 
through  role-based  dashboards 
and  scorecards.  The  J2EE-based 
software  can  run  on  any  version 
of  Unix,  Windows  NT  or  Linux, 
and  it  supports  Oracle  databases. 
Pricing  is  based  on  the  number  of 
users  and  starts  at  $200,000. 


Metadot  Offers 
Subscription  Option 

■  Metadot  Corp.  in  Austin  is  now 
selling  its  open-source  portal 
server  on  a  subscription  basis, 
with  various  levels  of  customer 
support  and  maintenance.  The 
new  Metadot  Portal  Server  Busi¬ 
ness  Edition  lets  users  create  and 
maintain  extranets,  intranets  and 
corporate  Web  sites,  as  well  as 
project  and  community  portals, 
the  company  said.  The  applica¬ 
tion  is  browser-based  and  runs 
on  Linux,  Solaris,  Windows  and 
OS  X.  Pricing  starts  at  $2,000 
per  year. 


NetSuite  Releases 
NetFlex  Tool  Set 

■  Hosted  business  applications 
provider  NetSuite  Inc.  in  San  Ma¬ 
teo,  Calif.,  last  week  announced 
that  it  is  offering  a  new  Web 
services-based  technology  plat¬ 
form  called  NetFlex.  The  product 
deliyers  a  tool  set  that  lets  users 
customize  or  craft  their  own  ap¬ 
plications  within  the  NetSuite 
framework  and  integrate  those 
applications  with  other  applica¬ 
tions,  the  company  said.  NetFlex 
is  available  now  at  no  extra 
charge  to  NetSuite  users. 


ROBERT  L.  MITCHELL 


Drowning,  in 
Unstructurea  Data 


THE  YEAR  WAS  1989.  A  rather  disorganized 
co-worker  of  mine  had  begun  running  a 
personal  information  manager  and  Lotus 
Magellan,  a  newfangled  “disk  navigation 
system”  that  combined  fast  search  with  a 


file  viewer  window.  In  his 
case,  the  programs  didn’t  al¬ 
ways  help.  His  excitement  at 
showing  off  how  quickly  he 
could  find  some  arcane  bit 
of  information  often  faded 
into  a  plaintive,  “Wait,  uh,  uh, 
it’s  in  here  somewhere  . . .” 

His  plea  became  an  inside 
joke  around  the  office,  a 
mantra  to  be  recited  around 
the  coffee  machine.  The 
best  approach,  I  thought, 
was  to  organize  or  add 
structure  to  documents  as 
they  came  into  the  system.  If  you  didn’t 
spend  time  upfront  to  organize  your 
data,  what  could  you  expect  but  chaos? 
Garbage  in  equals  garbage  out. 

I’m  not  laughing  anymore.  Sixteen 
years  later,  the  trickle  of  data  on  that 
original  multimegabyte  desktop  hard 
drive  has  become  a  multigigabyte  tor¬ 
rent,  with  much  of  that  content  linked 
to  other  documents  on  the  company’s 
LAN,  Web  site  and  e-mail  server,  and 
the  World  Wide  Web.  Today,  there  is 
simply  too  much  information  to  parse; 
the  orderly  processes  I  used  to  consci¬ 
entiously  tag,  arrange  and  otherwise 
transform  incoming  data  simply  take 
too  long.  I  am  drowning  in  a  sea  of  un¬ 
structured  information. 

Ironically,  Magellan  turns  out  to  have 
been  the  harbinger  of  today’s  desktop 
search  tools,  which  have  come  to  my 
rescue.  Programs  Copernic  and  XI 
Desktop  Search  (the  latter,  a  descen¬ 
dant  of  Magellan,  is  the  one  I  prefer) 
combine  a  full-text  index  of  documents, 
e-mail  messages  and  other  content  with 
a  file  preview  pane,  enabling  the  user 
to  almost  instantly  locate  and  display 
desired  information.  Support  for  docu¬ 


ment  type  filters  and 
Boolean  notation  allows 
fine-grained  searches.  Fur¬ 
ther,  users  can  usually  act 
on  the  file  within  the  con¬ 
text  of  the  application  that 
created  it.  For  example, 
within  XI,  an  e-mail  mes¬ 
sage  in  the  search  results 
window  can  be  forwarded 
by  clicking  a  button. 

Desktop  search  tools  are 
creeping  onto  corporate 
desktops,  both  because 
many  are  free  and  because 
the  productivity  benefits  are  potentially 
large  for  users  with  significant  amounts 
of  locally  stored  content.  For  IT  organi¬ 
zations  that  want  to  support  desktop 
search,  however,  the  issues  are  a  bit 
more  complicated  than  simply  adding  a 
preferred  desktop  search  engine  to  the 
standard  system  image. 

For  example,  users  can  point  desktop 
search  tools  at  shared  volumes  on  the 
network,  including  public  folders,  cre¬ 
ating  unexpected  disk  I/O  and  network 
traffic  loads.  Also,  most  products  aren’t 
smart  enough  to  deal  with  shared  stor¬ 
age  when  laptops  are  disconnected.  In¬ 
dexed  content  may  be  unindexed  when 
users  are  on  the  road,  only  to  be  rein¬ 
dexed  once  again  when  the  user  returns. 

Security  policies  also  need  to  be  set 
to  determine  who  can  index  and  view 
which  files.  And  as  a  security  vulnera¬ 
bility  in  Google’s  tool  made  clear  last 
year  [QuickLink  51557],  the  products  are 
still  evolving. 

Ultimately,  however,  users  don’t  need 
a  desktop  search  tool.  What  they  need 
—  and  what  IT  should  deliver  —  is  an 
integrated  system  that  allows  searches 
of  local,  enterprise  and  Web-based  con- 
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Computerworlcf  s  senior 
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tent  from  within  a  single,  seamless 
user  interface.  Right  now,  that’s  still  a 
tall  order. 

First-generation  enterprise  search 
tools  from  desktop  search  vendors  in¬ 
clude  a  second,  network-based  search 
engine  that  sits  on  the  corporate  LAN 
and  indexes  shared  folders  and  intranet 
content.  A  user’s  ability  to  view  or 
search  selected  content  is  governed 
by  policies  and  permissions  the  admin¬ 
istrator  has  set  using  LDAP  or  Active 
Directory. 

Coveo  Solutions  Inc.  offers  an  enter¬ 
prise  search  complement  to  its  Coper¬ 
nic  desktop  search  tool.  However,  users 
still  must  use  a  different  interface  for 
each  resource.  XI  Technologies  Inc.  is 
readying  a  similar  tool  for  release  this 
spring  that  it  says  will  include  a  unified 
user  interface.  XI,  which  has  partnered 
with  Yahoo  to  give  away  a  consumer 
version  of  XI  Desktop  Search,  could  be 
among  the  first  to  deliver  access  to  the 
search  trinity  of  desktop,  enterprise 
and  Web  content  from  within  a  single 
graphical  user  interface. 

Desktop  search  vendors  are  also 
moving  quickly  beyond  e-mail  to  sup¬ 
port  content  management  software. 
Coveo  is  rolling  out  a  version  of  its 
product  for  Microsoft’s  SharePoint;  XI 
has  similar  plans.  Meanwhile,  estab¬ 
lished  enterprise  search  vendors  such 
as  Autonomy  Corp.  have  launched  their 
own  products  for  the  desktop  market.  If 
you  use  enterprise  search  already,  your 
vendor  is  probably  the  first  place  to 
look  for  desktop  search. 

But  do  get  started.  Although  the 
products  aren’t  perfect,  the  productivi¬ 
ty  benefits  of  desktop  search  are  too  ir¬ 
resistible  for  users  to  ignore.  If  you 
don’t  start  establishing  a  corporate  IT 
standard  for  desktop  search  soon,  you 
may  find  that  your  users  have  done  it 
for  you.  ©  53169 
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DB2.  ONLY  THE  PERFORMANCE  IS  HIGH. 

DB2  has  done  it  again.  According  to  a  Market  Magic  Study, 
DB2  costs  “on  average  22%  less  than  Oracle.”1 

The  Transaction  Processing  Performance  Council  results 
show  that  DB2  and  eServer™  p5-595  are  more  than  twice 
as  scalable  as  Oracle  Real  Application  Clusters,  making 
them  the  overwhelming  performance  and  scalability 
leader  forTPC-C.2  And  an  ITG  study  showed  overall  costs 
for  Oracle  Database  up  to  four  times  higher  than  DB2.3 

No  wonder  DB2  is  regarded  as  the  leading  database  built 
on  and  optimized  for  Linux!  UNIX*  and  Windows!  Like 
other  IBM  database  engine  products  such  as  Informix* 
and  Cloudscape’”  DB2  is  part  of  an  innovative  family  of 
information  management  products  that  integrates  and 
can  actually  add  insight  to  your  data. 


It  takes  full  advantage  of  your  existing  heterogeneous 
and  open  environments,  while  its  leading-edge 
autonomic  computing  technology  means  increased 
reliability,  increased  programmer  productivity  and 
decreased  deployment  and  management  costs. 

One  more  thing:  Oracle  desupported  Oracle  Database  8i 
last  year,  meaning  potential  headaches,  higher  cost  or 
a  complete  migration  to  current  versions  of  Oracle. 
Fortunately,  IBM  offers  ongoing,  around-the-clock  service 
and  support  for  DB2. 

Why  not  move  up  to  middleware  that  makes  sense?  Now  you 
can  get  IBM  DB2  Universal  Database  or  Informix  by  taking 
advantage  of  our  extremely  compelling  trade-up  program. 
Visit  ibm.com/db2/swap  today  to  find  out  if  you  qualify. 


DEMAND  BUSINESS 


IBM,  the  IBM  logo.  DB2,  eServer,  Informix.  Cloudscape  and  the  On  Demand  logo  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United 
States  and  other  countries.  Linux  is  a  registered  trademark  of  Linus  Torvalds.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation  in  the  United  Slates  and/or  other 
countries.  UNIX  is  a  registered  trademark  of  The  Open  Group  in  the  United  States  and/or  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks 
of  others  ©2005  IBM  Corporation.  All  rights  reserved.  “Database  Comparative  Cost  of  Ownership.”  January  2003,  Market  Magic  Ltd.  ’All  referenced  results  are  current  as  of  12/14/04.  DB2 
UDB  v8.2  on  IBM  eServer  p5  595  (64-way  POWER5  1.9  GHz)  and  AIX  5.3L:  3,210,540  tpmC  @  $5.19/tpmC  available:  May  15,  2005.  vs.  Oracle  RAC  lOg  on  HP  Integrity  rx5670  Cluster  64P 
(16  x  4-way  Intel  Itanium2  6M  1.5GHz):  1,184,893  tpmC  @  $5.52/tpmC  available:  April  30,  2004;  TPC  Benchmark,  TPC-C.  tpmC  are  trademarks  of  the  Transaction  Processing  Performance 
Council.  For  further  TPC-relaled  information,  please  see  http://www.tpc.org/.  “"IBM  Solutions  lor  PeopleSoft  Deployment  in  Mid-sized  Businesses  Quantifying  the  New  CosL  Benefit  Equation,' 
July  2003,  International  Technology  Group,  Los  Altos.  California. 


How  Japan  helps  Cisco  Systems 

spin  a  stronger  web. 


No  wonder  Cisco  Systems,  the  preeminent 
player  paving  the  information  superhighway,  just 
opened  an  R&D  center  in  Tokyo.  With  broadband 
access  accelerating  and  traffic  five  times  heavier 
on  many  ISP  networks  than  that  carried  by  U.S. 
providers,  Japan  is  where  the  future  of  global 
Internet  growth  is  already  happening. 

Not  only  has  a  government-led  "e-Japan"  initiative 
successfully  incentivized  rapid  broadband  deployment — 
Japan,  as  one  of  most  sophisticated  broadband  markets, 
is  set  to  generate  many  of  the  world's  best  new  business 
models.  Technologies  perfected  here  satisfy  the  most  rigorous 
standards,  so  they  offer  another  huge  payoff:  they  promise  to  be 
powerful  enough  to  serve  any  other  part  of  the  planet. 

So  start  spinning  the  web  to  capitalize  on  the  biggest  market  in  the 
fastest-evolving  economic  region  on  Earth. 


www.investjapan.org/us  444 
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The  Japan  External  Trade  Organization  (JETRO)  is  a  Japanese  government-funded  organization  that  promotes  trade  and  foreign  direct  investment  in  Japan. 
New  York  •  San  Francisco  •  Los  Angeles  •  Chicago  • 
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Here’s  a  crash  course 
for  your  business 
sponsor  in  what  he 
needs  to  know  about 
your  IT  project. 

By  Michael  H.  Hugos 


IT  MENTOR 


Business  executives 
who  sponsor  system  de¬ 
velopment  projects  need 
a  way  to  assess  them  as 
they  move  through  the  define,  design  and  build 
sequence.  This  checklist  can  be  used  to  assess 
any  IT  development  project,  and  it  will  reveal 
quite  clearly  whether  things  are  going  well. 


GOODNESS  OF  SYSTEM  DESIGN 

In  the  first  two  to  six  weeks  of  the  project  —  the  define 
phase  —  ask  yourself  and  the  system  builder  in  charge 
of  the  project  the  following  questions: 


What  is  the  business  goal  of  the  project?  In  two 

sentences  or  less,  state  the  action  the  company  is  going 
to  take  and  the  desired  result  of  that  action.  This  is  the 
goal.  It  is  the  target,  the  destination  the  project  is  sup¬ 
posed  to  reach.  Figure  out  what  it  is,  or  stop  the  project. 


Which  performance  criteria  is  the  system  sup¬ 
posed  to  meet?  State  requirements  the  system  will 
meet  in  four  areas: 

1  Business  operations 

2  Customer  expectations 

3  Financial  performance 

4  Company  learning  and  improvement 

These  are  the  specific  measures  that  will  deter¬ 
mine  whether  the  system  will  be  a  success.  Make 
sure  that  you  and  the  people  designing  and  building 
the  system  know  what  they  are. 

Do  you  believe  that  a  system  that  meets  the  pre¬ 
ceding  performance  requirements  will  accom¬ 
plish  the  business  goal  you  are  striving  for?  If  you 

have  a  feeling  that  important  performance  require¬ 
ments  have  been  left  out,  add  them  before  the  project 
gets  any  further  along,  but  make  sure  that  you  add 
only  requirements  that  are  strictly  necessary  to  ac¬ 
complish  the  business  goal.  Requirements  that  are  too 
broad  will  result  in  increased  system  complexity  and 
less  chance  that  the  system  can  be  successfully  built. 
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Don’t  Miss 
Y)ur  Chance! 
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IT  LEADERS  2006 


Nominate  an  outstanding  IT 
leader  for  Computerworld’s 
Premier  100  IT  Leaders 
2006 Awards  program 


EACH  YEAR,  Computerworld  editors  conduct  a  nationwide  search  for 
IT  managers  and  executives  who  show  technology  leadership  in  their 
organizations.  This  prestigious  awards  program  recognizes  and  honors 
IT  professionals  from  a  wide  range  of  industries,  drawing  attention  to  the 

innovative,  business-critical 
work  they  do. 
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ELIGIBLE  NOMINEES  include 
CIOs,  CTOs,  vice  presidents, 
IT  directors  and  managers 
from  user  companies,  nonprof¬ 
its,  the  computer  industry  and 
the  public  sector. 

HONOREES  will  be  announced 
in  Computerworld' s  Dec.  12, 

2005,  issue  and  will  be  our 
guests  at  the  7th  Annual 
Premier  100  IT  Leaders 
Conference,  March  5-7, 

2006,  in  Palm  Desert,  Calif. 


Who  Qualifies? 


IT  managers  and 
executives  who 

■  Effectively  manage  IT  and 
business  strategies 

■  Envision  innovative 
approaches  to  business 
problems 

■  Foster  great  ideas  and 
creative  work  environments 

■  Excel  at  vendor  and  supplier 
management 

■  Take  calculated  risks  and 
learn  from  failure 


Deadline  for  Nominations  Is  May  31 

Go  online  to  nominate  an  IT  leader  at  computerworid.com/p100nominations  or  O  QuickLink  a3420. 
Questions?  Contact  us  by  e-mail  at  premier100@computerworid.com. 
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The  first  800 
qualified  IT  End-Users 
who  register  and 
attend  SNW  will  receive 
a  free  copy  of 


Spies 

AMONG  US 
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Spies  Among  Us  by  Industry 
Visionary,  Ira  Winkler 


Co- Owned  and  Endorsed  by 

^sSNIA 


Co-Owned  and  Produced  by 


COMPUTERWORLD 


Learn  How  to  Achieve 
Storage  Networking  Success 


Featured  Speakers  Include: 


BOB  LOGAN 

Vice  President,  Enterprise  Infrastructure  Services 
SAIC 

SONJA  ERICKSON 

Vice  President,  Technical  Operations 
Kodak  EasyShare  Gallery 

SASAN  HAMIDI 

cso 

Interval  International 

STEVE  DUPLESSIE 

Founder  and  Senior  Analyst 
Enterprise  Strategy  Group 

JON  WILLIAM  TOIGO 

CEO  and  Founder 
Toigo  Partners  International 

ANN  LIVERMORE 

Executive  Vice  President,  Technology  Solutions  Group 
Flewlett-Packard  Company 


See  and  Hear  Ira  Winkler 


IRA  WINKLER 

Expert  in  Corporate  and  Computer  Security 
Author  of  Spies  Among  Us:  How  to  Stop  the 
Spies,  Terrorists,  Hackers  and  Criminals  You 
Don’t  Even  Know  You  Encounter  Every  Day 


The  Leading  Conference  for: 

•  IT  Management 

•  Storage  Architects 

•  IT  Infrastructure  Professionals 

•  Business  Continuity  Planning  Experts 

•  Data  Management  Specialists 

•  Network  Professionals 


To  register  or  for  more  information, 
visit  www.snwusa.com/cw 


See  solutions  from  companies  including: 
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"BEST  PRACTICES' 
AWARDS  PROGRAM 
SPONSORED  BY: 

EMC2 

where  Information  live* 


PARTNER  PAVILION 

Microsoft 
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GOLF  OUTING  SPONSOR 

Quantum 


For  sponsorship  opportunities,  call  Ann  Harris  at  508-820-8667 


April  12-15,  2005  •  JW  Marriott  Desert  Ridge  Resort  •  Phoenix,  Arizona 


SNW  has  the  potential 
to  save  someone  80 
flights  a  year ...  an  optimal 
domain  for  consolidated 
interpersonal  industry 
networking  ..." 

Michael  Dugan 
Director  of  Technology, 
Forbes.com 


"...  the  premier  event  in  the 
storage  industry ...” 


Frank  Enfanto 
Vice  President, 
Operations  Delivery  & 
Information  Security, 
Blue  Cross  Blue  Shield 
of  Massachusetts 


Learn  How  to  Achieve 
Storage  Networking  Success 

•  Get  a  contemporary  overview  of  today's  storage  networking  issues  and  opportunities 

•  See  how  to  implement  and  deploy  the  latest  in  storage  networking  technologies 

•  Hear  the  latest  in  enterprise  security 

•  Learn  from  best  practices  and  case  studies 

Why  You  Should  Attend 

Are  you  responsible  for  managing  your  company’s  data  center  assets?  Want  to  exchange  innovative  ideas 
and  strategies  with  other  executives  who  share  the  same  objectives?  Then  attend  Storage  Networking 
World,  where  you'll  network  with  and  learn  from  renowned  experts  and  the  nation's  top  user  executives. 

Conference  At-a-Glance  (subject  to  change) 


For  details,  updates,  and  to  register  visit  www.snwusa.com/cw 


TUESDAY,  APRIL  12 


Registration  Open  1 1 :00am  -  8:30pm 


9:00am  -  9:30am 
9:30am  -  1 1 :30am 
1 1 :30am  -  1 :00pm 
1 2:00pm  -  5:00pm 
1 :00pm  -  5:25pm 

6:00pm  -  8:00pm 


Breakfast 

Pre- Conference  Tutorials  and  Primers 

Luncheon 

Pre- Conference  Golf  Outing 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 
SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Welcome  Reception 


WEDNESDAY,  APRIL  13 _ Registration  Open  7:00am  -  8:00pm 


7:1 5am  -  8:1  5am  Breakfast 


8:1 5am  -  8:30am 
8:30am  -  9:1 5am 


9:1 5am  -  9:45am 


Opening  Remarks 

Opening  Visionary  Presentation 

Ira  Winkler,  Security  Expert  and  Author  of  Spies  Among  Us 

End-User  Case  Study 

Bob  Mathers,  Second  Vice  President,  Information  Technology 
Operations  &  Disaster  Recovery,  Guardian  Life  Insurance 
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9:45am  -  1 0:1 5am 

10:15am  -  10:30am 
1 0:30am  -  1 1 :00am 

1  1 :00a.m  -  1 1 :30am 

1 1 :30am  -  Noon 


Noon  -  1 2:45pm 


1 2:45pm  -  2:00pm 
2:1  Opm  -  5:40pm 

5:40pm  -  8:40pm 


Industry  Leader  Presentation 

Ann  Livermore,  Executive  Vice  President, 

Technology  Solutions  Group,  Hewlett-Packard  Company 


Break 

End-User  Case  Study 

Bob  Eicholz,  Vice  President,  EFILM,  LLC 


Industry  Leader  Presentation 

John  Thompson,  CEO,  Symantec 


End-User  Case  Study:  The  Story  (and  Storage!) 
Behind  Kodak’s  Online  Photo  Success 

Sonja  Erickson,  Vice  President,  Technical  Operations, 
Kodak  EasyShare  Gallery 


Panel  Discussion 

Moderated  by:  Jon  William  Toigo,  CEO  &  Founder, 
Toigo  Partners  International 


Luncheon 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 
SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Expo  with  Dinner  and  Interoperability  &  Solutions  Demo 

•  30-plus  SNIA  member  companies  collaborating  on  integrated  solutions 

•  Opportunity  to  meet  leading  experts  and  engineers 


For  more  information  and  to  register,  visit  www.snwusa.com/cw  or  call  1-800-883-9090 


For  more  information  and  to  register,  visit  www.snwusa.com/cw  or  call  1-800-883-9090 


THURSDAY,  APRIL  14 _ Registration  Open  7:00am  -  6:00pm 


7:15am  -  8:15am 
8:1 5am  -  8:30am 
8:30am  -  9:1 5am 
9:1 5am  -  9:45am 

9:45am  -  10:1  5am 


10:15am  -  10:30am 
1 0:30am  -  1  1 :00am 


1 1 :00am  -  1 1 :30am 


1 1 :30am  -  Noon 


Noon  -  1 2:45pm 


1 2:45pm  -  2:00pm 

2:10pm  -  5:40pm 
2:1 0pm  -  5:40pm 

4:00pm  -  7:00pm 

7:00pm  -  9:30pm 


Breakfast 

Opening  Remarks 

Opening  End-User  Visionary  Presentation 

Industry  Leader  Presentation 

Andy  Monshaw,  General  Manager,  Storage  Systems, 

IBM  Systems  and  Technology  Group 

End-User  Case  Study 

Bob  Logan,  Vice  President,  Enterprise  Infrastructure  Services,  SAIC 


Industry  Leader  Presentation 

Jeff  Nick,  Vice  President  and  Corporate-Wide  CTO,  EMC  Corporation 

End-User  Case  Study 

Sasan  Hamidi,  CSO,  Interval  International 

Industry  Leader  Presentation 

John  Kelley,  President  and  CEO,  McData 

H  End-User  Panel 

Moderated  by:  Steve  Duplessie,  Founder  &  Senior  Analyst, 

Enterprise  Strategy  Group 

Expo  with  Lunch  and  Interoperability  Demo 

W  IDC  Storage  Analyst  Briefing 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 

SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Expo  Open 

•  Cocktail  Reception  in  Expo  begins  at  5:30pm 

Gala  Evening  with  Awards  Ceremony,  Dinner  &  Entertainment 


FRIDAY,  APRIL  15 


Registration  Open  7:30am  -  10:00am 


7:30am  -  1 0:00am 
8:30am  -  Noon 

Noon 


Continental  Breakfast 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 
SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Conference  Concludes 


“...  at  SNW,  you  connect 
with  folks  you  normally 
wouldn’t  meet  and 
capitalize  on  the 
serendipitous  exchange 
of  ideas  ..." 


John  Seely  Brown 
former  director,  Xerox 
Palo  Alto  Research 
Center  (PARC),  and 
former  chief  scientist, 
Xerox 


“...  SNW  is  a  great  venue 
for  peer  discussion  ...  an 
opportunity  to  provide 
feedback  to  vendors  on 
what  users  need  from 
them  ...” 


BJohn  Greer 

Director, 

IT  Infrastructure, 
Pacific  Gas  &  Electric 


*%sm 

Attend  SNIA-Certified 
Training  Programs  at  SNW 

Visit  www.snwusa.com  for  more 
information. 


Pre-Conference  Golf  Outing 

Complimentary  for  Registered  IT  End-Users 

The  Pre-Conference  Golf  Outing  at  The  Wildfire  SPONSORED  BY 
Golf  Club,  Faldo  Course  located  at  the  JW  Quantum 

Marriott  Desert  Ridge  Resort,  is  complimentary  - — - 

($165  value)  for  registered  IT  End-Users  (other 
participants,  including  sponsors  and  vendors,  may  play  on  an  “as  avail¬ 
able"  basis  and  are  responsible  for  all  applicable  golf  outing  expenses). 

For  details  contact  Chris  Legef  at  1-508-820-8277 


Hotel  Reservations  and  Travel  Services 

Global  Odysseys  is  the  official  travel  company 
for  Storage  Networking  World.  They  are  your 
one-stop  shop  for  exclusive  discounted  rates  on 
hotel  accommodations. 

To  reserve  your  accommodations,  visit:  www.etcentral.com 
You  can  also  call  our  conference  housing  line  at:  1-888-254-1597 


Global  Odywwyw 


April  12-15,  2005  •  JW  Marriott  Desert  Ridge  Resort  •  Phoenix,  Arizona 


^-SNIA 


STORAGE 

NETWORKING 

WORLD 


COMPUTERWORLD 

April  12-15,  2005 
JW  Marriott 
Desert  Ridge  Resort 
Phoenix,  Arizona 


Application  for  Conference  Registration 

Fax  this  completed  application  to  1-508-820-8254  or  apply  online  at:  www.snwusa.com/cw 


Your  business  card  is 
REQUIRED 

to  process  your  application 

Please  affix  your  business  card  to  this  space  prior  to 
submitting  your  application.  Applications  submitted 
without  business  cards  will  not  be  processed. 

Questions?  Call  1-800-883-9090 


If  not  indicated  on  your  business  card, 
please  provide  the  following  required 
information: 


Corporate  Email  Address 


Corporate  Website 

Registration  questions? 

Call  1  -800-883-9090  or  email 
snwreg@computerworld.com 

Need  accommodations? 

Reserve  them  at:  www.etcentral.com 

Or  call  1-888-254-1597 
or  email:  eventhousing@globalodysseys.com 


Please  check  ONE  of  the  following: 

Earlybird  Registration  (through  February  28,  2005) 

Full/Onsite  Registration  (after  February  28,  2005) 

Q  1  am  an  IT  End-User* 

(Complete  Attendee  Profile  below) 

□  $895  General  Conference  Package  (April  1 3  &  14) 
(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 

□  $1,290  Total  4-Day  Package  (April  12,  13,  14,  15) 

(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready"  Courses) 

□  $1,295  General  Conference  Package  (April  13  &  14) 
(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 

□  $1,690  Total  4-Day  Package  (April  12,  13,  14,  15) 

(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready"  Courses) 

*  IT  End-Users  are  defined  as  those  who  are  attending  Storage  Networking  World  with  an  intent  (and  an  IT  spending  budget)  to  potentially  buy/lease  hardware/software/services,  etc  from  our  conference  sponsors  and  are  not  themselves  an  IT  vendor.  As  such, 
account  representatives,  business  development  personnel,  analysts,  consultants  and  anyone  else  attending  who  does  not  have  IT  purchasing  influence  within  their  organization  are  excluded  from  the  “IT  End-User”  designation.  Interpretation  and  enforcement  of 
this  policy  are  at  the  sole  discretion  of  Computerworld. 


□  I  am  a  Channel  Partner/ 
Integrator/Consultant 

(Complete  Attendee  Profile  below) 


□  $3,000  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference;  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA  Certification  “Test-Ready”  Courses) 


□  $3,500  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference;  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA  Certification  "Test-Ready"  Courses) 


By  participating  in  SNWs  Channel  Partner/Integrator  registration  package,  registrants  may  enjoy  the  following  benefits:  One  company  representative  may  receive  a  full  conference  pass  to  SNW  Spring  2005;  additional  company 
representatives  pay  $695  each  for  full  conference  passes;  company  may  invite  up  to  five  IT  User  customers  to  attend  SNW  SpringOT  Users  must  be  strictly  compliant  with  IT  User  definition  on  the  supplied  registration  form); 
companies  registering  for  this  package  interested  in  joining  the  SNIA  are  eligible  to  receive  a  $2,000  discount,  provided  that  membership  is  applied  for  prior  to  March  1, 2005. 


Attendee  Profile:  This  section  MUST  be  completed  by  IT  End-Users  and  Channel  Partners/Integrators/Consultants  only  (optional  for  all  other  registrations)  in  order  to  process  your  application. 


Your  Business/Industry 

□  Aerospace 

□  Manufacturing  &  Process  Industries  (non-computer  related) 

□  Finance/Banking/Accounting 

□  Insurance/Real  Estate/Legal  Sevices 

□  Government:  Federal  (including  Military) 

□  Government:  State  or  Local 

□  Health/Medical/Dental  Services 

□  Retailer/Wholesaler/Distributor  (non-computer  related) 

□  Transportation/Utilities 

□  Communication  Carriers 

(ISP,  Telecom,  Data  Comm,  TV/Cable) 

□  Construction/Architecture/Engineering 

□  Data  Processing  Sen/ices 

□  Education 

□  Agriculture/Forestry/Fisheries 

□  Mining/Oil/Gas 

□  Travel/Hospitality/Recreation/Entertainment 

□  Publishing/Broadcast/  Advertising/ 

Public  Relations/Marketing 

□  Research/Development  Lab 

□  Business  Services/Consultant  (non-computer  related) 

□  Manufacturing  of  Computers,  Communications, 

Peripheral  Equipment  or  Software 


Your  Job  Title/Function: 

IT  MANAGEMENT 

□  CIO,  CTO,  CSO 

□  Executive  VP,  Senior  VP 

□  Vice  President 

□  Director 

□  Manager/Other  IT  Manager 

□  Supervisor 

BUSINESS  MANAGEMENT 

□  CEO,  COO,  Chairman,  President 

□  CFO,  Controller,  Treasurer 

□  Executive  VP,  Senior  VP,  VP,  General  Manager 

□  Director,  Manager 

□  Other  Corporate/Business  Manager 

Number  of  employees  in  your  entire  organization 
(ALL  locations) 

□  20,000  or  more 

□  10,000-19,999 

□  5,000-9,999 

□  1,000-4,999 

□  500  -  999 

□  100-499 

□  50-99 

□  Less  than  50 


What  is  your  organization’s  annual  IT/IS  budget 
for  all  IT/IS  products? 

□  $1  Billion  or  more 

□  $500  Million  -  $999.9  Million 

□  $100  Million -$499.9  Million 

□  $50  Million  -  $99.9  Million 

□  $10  Million -$49.9  Million 

□  $1  Million  -  $9.9  Million 

□  $500,000  -  $999,999 

□  $250,000  -  $499,999 

□  $100,000 -$249,999 

□  Less  than  $100,000 

What  is  the  estimated  annual  revenue  of 
your  entire  organization? 

□  Over  $10  Billion 

□  $  1  Billion  -  $9.9  Billion 

□  $500  Million  -  $999  Million 

□  $100  Million  -  $499  Million 

□  Less  than  $  1 00  Million 


The  one  item  that  best  describes  your  involvement  in 
the  IT  purchase  process 

□  Authorize/approve  purchase 

□  Evaluate/recommend  products,  brands,  vendors 

□  Specify  features/technical  requirements 

□  Set  budget  for  expenditures 

□  Determine  need  to  purchase 

□  Create  IT  strategy 

□  All  of  the  above 

Would  you  like  to  receive  information  about  playing  in 
the  golf  outing  on  Tuesday,  April  1 2th? 

□  Yes 

□  No 

Do  you  need  hotel  accomodations? 

□  Yes  (please  visit  www.etcentral.com  to  reserve) 

□  No 

Would  you  like  to  receive  a  complimentary 
subscription  to  Computerworld? 

□  Yes 

□  No 


f~l  My  company  is  Sponsoring/ 
Exhibiting  at  SNW 


□  $895  (through  February  28,  2005) 

General  Conference  Package  (April  1 3  &  1 4) 

(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 


□  $1,295  (after  February  28,  2005) 

General  Conference  Package  (April  1 3  &  14) 

(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 


□  $1,290  Total  4-Day  Package  (April  12,  13,  14,  15) 

(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready"  Courses) 


□  $1,690  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready"  Courses) 


As  a  sponsor,  you  may  be  eligible  to  attend  using  a  registration  provided  with  your  sponsorship.  (If  those  registrations  have  already  been  assigned/used,  then  you  may  register  at  the  prevailing  rates  above.)  See 
the  current  list  of  sponsors  at  www.snwusa.com.  Questions?  Call  1-800-883-9090  or  email  snwreg@computerworld.com. 


Q  I  am  a  representative  of  a  Non-Sponsoring  IT  Vendor  Company 

□  $5,000  Business  Development  Professional  Package  for  Sales,  Marketing  and  Business  Development  Professionals  (includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 


Vendors  are  encouraged  to  participate  in  Storage  Networking  World  through  sponsorship.  (Details  are  available  by 
calling  Ann  Harris  at  508-820-8667.)  Alternatively,  vendors  (as  well  as  other  “non-IT  end-user"  professionals  as 
defined  by  Computerworld),  may  apply  for  registration  at  the  “non-sponsoring  vendor”  rate  of  $5,000.  Determination 
of  what  constitutes  a  “non-sponsoring  vendor"  registration  is  made  exclusively  by  Computerworld. 

Please  call  888-239-4505  with  questions. 


□  I  am  a  Financial/Equity  Analyst 

□  $1,290  (through  February  28,  2005) 
General  Conference  Package 

(includes  General  Conference  Sessions, 
Expo,  Meals  &  Receptions) 


and/or  Venture  Capital  Professional 

□  $1,690  (after  February  28,  2005) 
General  Conference  Package 

(includes  General  Conference  Sessions, 
Expo,  Meals  &  Receptions) 


□  I  am  a  qualified  member  of  the  press.  I  can  verify  my  press  credentials. 
Press  should  call  Marenghi  Public  Relations  at  1-781-915-5000  to  register. 

Please  fax  this  completed  application  to  1-508-820-8254 


Payment  Method 

□  Check  (checks  must  be  received  by  March  21, 2005  payable  to:  Computerworld) 
Mail  to:  Computerworld,  Attn:  Mike  Barbato,  One  Speen  Street  Framingham,  MA  01701 

□  American  Express  □  VISA  □  MasterCard 

Account  Number: _ 

Expiration  Date: _ 

Card  Holder  Name: _ 

Signature  of  Card  Holder: _ 

Cancellation  Policy  (All  of  the  following  require  written  notification  by  March  2 1 , 2005.) 

In  the  event  of  cancellation,  the  registrant  has  three  options: 

1 )  He  or  she  may  substitute  another  attendee  for  this  conference. 

2)  He  or  she  may  transfer  this  registration  to  the  Storage  Networking  World  Fall  2005  conference. 

3)  The  registration  fee  will  be  refunded,  less  a  $250  service  charge  (if  written  notice  is  received  by  March  21, 2005). 

Please  send  cancellation  requests  via  email  to:  snwreg@computerworld.com 


www.computerworld.com 
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Which  existing  computer  systems  in  your  compa¬ 
ny  does  the  new  system  design  leverage?  The 

new  system  should  leverage  the  strengths  of  systems 
and  procedures  already  in  place.  That  way  it  can  focus 
on  delivering  new  capabilities  instead  of  just  replac¬ 
ing  something  that  already  exists.  If  you  decide  to  re¬ 
place  everything  and  build  from  a  clean  slate,  you  had 
better  be  prepared  for  the  considerable  extra  time 
and  expense  involved  and  be  sure  that  it’s  worth  it. 

Does  the  overall  design  for  the  new  system  break 
down  into  a  set  of  self-contained  subsystems  that 
can  each  operate  on  its  own  and  provide  value? 

Large  computer  systems  are  really  made  up  of  a 
bunch  of  smaller  subsystems.  Your  company  should 
be  able  to  build  each  subsystem  independently  of  the 
others.  That  way,  if  one  subsystem  runs  into  prob¬ 
lems,  work  on  the  others  can  still  proceed.  As  sub¬ 
systems  are  completed,  they  should  be  put  into  pro¬ 
duction  as  soon  as  possible  to  begin  paying  back  the 
expense  of  building  them.  If  all  subsystems  must  be 
complete  before  any  can  be  put  to  use,  that’s  a  very 
risky,  all-or-nothing  system  design.  Change  it. 

How  accurate  is  the  cost-benefit  analysis  for  the 
new  system?  Have  the  business  benefits  been 
overstated?  Would  the  project  still  be  worth  doing 
if  the  business  benefits  were  only  half  of  those 
predicted?  Cost-benefit  calculations  usually  under¬ 
state  costs  and  overstate  benefits.  You  are  the  one 
who  is  best  able  to  judge  the  validity  of  the  calcula¬ 
tions.  Do  you  believe  they  are  accurate?  The  bigger 
and  riskier  the  project,  the  greater  the  benefits  must 
be  to  justify  the  risks  and  expense.  Don’t  spend  more 
on  a  system  than  it’s  worth. 

How  has  the  system  builder  demonstrated  that 
his  system  design  and  project  leadership  skills 
are  appropriate  to  the  demands  of  the  project?  If 

you  don’t  have  a  qualified  system  builder  in  charge, 


Strategic  Guidelines 


Tactical  Principles 


Ensure  the  presence  of  a  full-time 
leader  (the  system  builder)  with  overall 
responsibility  and  the  appropriate 
authority. 

Define  a  set  of  measurable  and  non¬ 
overlapping  objectives  that  are  neces¬ 
sary  and  sufficient  to  accomplish  the 
project  goal. 

Assign  project  objectives  to  teams  of 

two  to  seven  people  with  hands-on 
team  leaders  and  the  appropriate  mix  of 
business  and  technical  skills. 

Tell  the  teams  what  to  do 
but  not  how  to  do  it. 

Break  project  work  into  tasks  that  are 
each  a  week  or  less  in  duration  and 

produce  something  of  value  to  the  busi¬ 
ness  every  30  to  90  dav 


Ensure  that  the  project  office  staff 
works  with  the  system  builder  and  team 
leaders  to  update  plans  and  budgets. 


the  project  will  fail  from  lack  of  direction.  Manage¬ 
ment  by  committee  won’t  work.  If  this  person  lacks 
the  necessary  design  and  leadership  skills,  he  must  be 
replaced,  no  matter  what  other  skills  he  may  possess. 


Which  of  the  strategic  guidelines  have  been  fol¬ 
lowed,  and  which  have  not?  If  all  seven  of  the  stra¬ 
tegic  guidelines  are  followed  (see  box,  below  left),  the 
design  of  the  system  is  very  good.  It’s  acceptable  if 
one  of  the  guidelines  —  except  the  first  one  —  isn’t 
followed.  If  two  aren’t  followed,  there  had  better  be 
very  good  reasons.  In  that  case,  determine  which  ex¬ 
tra  precautions  will  be  taken  to  compensate  for  the  in¬ 
creased  risk.  If  more  than  two  of  the  guidelines  aren’t 
followed,  the  design  is  fatally  flawed.  The  system  can’t 
be  built  on  time  or  on  budget,  if  it  can  be  built  at  all. 


PROGRESS  MADE 
DEVELOPING  THE  SYSTEM 

As  the  project  moves  through  the  design  and  build 
phases,  ask  yourself,  the  system  builder  and  the  project 
teams  the  following  questions: 

Are  the  project  plan  and  budget  in  place?  Do  peo¬ 
ple  pay  attention  to  the  plan?  Is  there  a  project 
office  group  that  provides  regular  and  accurate 
updates  to  the  plan  and  the  budget?  Multimillion- 
dollar  system  development  projects  involve  a  lot  of 
people  and  stretch  across  some  period  of  time.  The 
project  plan  is  the  central  coordinating  instrument  that 
tells  every  person  exactly  what  he’s  supposed  to  be  do¬ 
ing  at  any  given  time.  If  the  plan  isn’t  kept  current,  the 
people  on  the  project  have  no  way  to  effectively  coor¬ 
dinate  their  work.  The  system  builder  will  lose  track  of 
the  details.  Delays,  cost  overruns  and  confusion  will 
result.  People  won’t  know  how  much  has  been  spent  to 
date  or  how  much  more  is  required  to  finish.  When 
this  happens,  the  project  goes  into  a  death  spiral. 


Are  the  subsystem  teams  organizing  their  work 
into  clearly  defined  design  and  build  phases? 

Are  these  phases  getting  done  on  time  and  on 
budget?  The  project  team  working  on  each  sub¬ 
system  should  spend  one  to  three  months  creating 
a  detailed  design  and  system  prototype  (design 
phase).  The  detailed  design  should  then  be  turned 
into  a  working  system  within  two  to  six  months 
(build  phase).  If  things  take  longer  than  this,  the 
project  is  moving  too  slowly  and  it  will  lose 
momentum  and  drift.  It’s  the  system  builder’s 
responsibility  to  keep  things  organized  and  moving. 
Make  sure  this  person  is  capable. 

How  are  the  six  tactical  principals  for  running 
projects  being  applied  (see  box,  left)?  Do  you 
believe  the  answers  you  hear?  Can  the  system 
builder  explain  this  clearly,  using  plain  language, 
or  does  he  resort  to  the  use  of  jargon?  A  qualified 
person  can  give  you  straight  answers.  The  system 
builder  is,  in  effect,  the  general  contractor  running 
the  job.  He  can  make  or  break  the  project.  Get  a  new 
one  if  you  need  to. 

What’s  the  situation  this  week?  Spot-check  the 
project  plan  and  budget  from  time  to  time.  Have  the 
system  builder  review  the  current  project  plan  with 
you,  show  you  the  money  spent  to  date  on  each  sub¬ 
system,  and  the  estimate  for  remaining  time  and  bud¬ 
get  to  complete  each  subsystem.  Do  you  believe  what 
you  hear?  Can  the  system  builder  explain  the  situation 
clearly,  without  tech  talk?  How  does  the  most  recent 
estimate  of  time  and  budget  compare  to  original  esti¬ 
mates?  Is  it  still  worth  the  cost  to  complete  the  project? 


COMPETENCE  AND  CONFIDENCE 
OF  PEOPLE  ON  THE  PROJECT 

Ask  the  following  questions  of  yourself,  the  system 
builder  and  the  project  teams: 

What  are  the  design  specifications?  As  each  proj¬ 
ect  team  completes  its  design  phase,  ask  them  to 
show  you  the  design  specifications,  the  process  flow 
diagrams,  the  logical  data  model  for  their  subsystem, 
the  user  interface,  the  technical  architecture  dia¬ 
grams  and  the  system  prototype.  Can  they  tell  you 
how  this  system  will  deliver  the  business  benefits  in 
the  cost-benefit  analysis?  Do  the  design  specifica¬ 
tions  make  any  sense?  Do  the  people  on  the  team 
know  what  they’re  talking  about? 

Are  the  project  team  members  as  confident  as  the 
project  team  leaders?  Are  the  team  leaders  as 
confident  as  the  system  builder?  If  people  believe 
they  have  the  right  skills  and  a  good  system  design, 
they  will  be  confident  in  their  ability  to  build  the  sys¬ 
tem.  If  people  at  every  level  don’t  share  and  reflect 
this  confidence,  there’s  a  problem  somewhere.  If  peo¬ 
ple  are  trying  to  transfer  onto  the  project,  that  demon¬ 
strates  confidence.  If  people  are  transferring  off  the 
project  or  leaving  the  company,  that  indicates  lack  of 
confidence.  Expect  the  project  to  fail.  O  52996 


Adapted  with  permission  from  Building  the  Real-Time 
Enterprise:  An  Executive  Briefing  by  Michael  H.  Hugos 
(John  Wiley  &  Sons  Inc.,  2005). 
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Content 

Management 

a  April  11-13,  San  Francisco 
Sponsor:  The  Gilbane  Report 

The  Gilbane  Conference  on  Content 
Management  Technologies  includes 
tracks  on  content  management,  enter¬ 
prise  search  and  knowledge  manage¬ 
ment,  content  technology,  document 
and  records  management,  and  enter¬ 
prise  information  integration.  It  also 
features  keynotes,  case  studies  and 
best  practices,  www.gilbane.com/ 
conferences/overview.html 


Strategic  Alliances 

■  April  14-15,  New  York 
Sponsor  The  Conference  Board  Inc. 

Topics  at  the  Strategic  Alliances  Con¬ 
ference  include  using  alliances  to  fuel 
innovation  and  growth,  introducing  in¬ 
novation  through  alliances,  sourcing 
innovation  externally,  partnering  with 
competitors,  forging  big-small  al¬ 
liances,  implementing  go-to-market 
strategies  with  partners  and  deciding 
when  to  partner,  www.conference- 
board.org/conferences 


Business  Process 
Outsourcing 

■  April  18-19,  New  York 
Sponsor:  IDC 

Achieving  Business  Transformation 
Through  Strategic  Business  Process 
Outsourcing  includes  a  strategy  track 
with  presentations  on  specific  function¬ 
al  segments  of  BPO  as  well  as  strate¬ 
gic  partnerships,  multifunctional  en¬ 
gagements,  metrics  and  global  sourc¬ 
ing.  The  financial  services  track  ex¬ 
plores  BPO  within  the  insurance,  bank¬ 
ing,  collections  and  payment  services 
industries,  www.idc.com/events 


IT  Symposium 

■  May  15-19,  San  Francisco 
Sponsor:  Gartner  Inc. 

The  Gartner  Symposium  and  ITxpo  in¬ 
cludes  tracks  on  operations  manage¬ 
ment.  IT  asset  management,  gover¬ 
nance  and  control,  application  devel¬ 
opment  and  integration,  business  in¬ 
telligence.  the  role  of  the  CIO,  mobile 
and  wireless,  compliance,  content 
management,  CRM  and  more. 
www.gartner.com/events 


BARBARA  GOMOLSKI 


CIO  Success: 
Nature  or  Nurture? 


I  BET  YOU’VE  HEARD  THIS  BEFORE:  The  CIO 
must  “get  a  seat”  at  the  executive  table.  Once 
there,  he  must  convince  others  that  IT  is  strate¬ 
gic  to  the  organization,  thereby  securing  his  own 
destiny.  There  are  a  host  of  other  mandates  that 
go  along  with  this  advice,  such  as  “develop  a  good  rela¬ 
tionship  with  business  stakeholders.” 


Despite  their  best  at¬ 
tempts,  however,  some 
CIOs  are  never  elevated 
(figuratively  or  literally) 
from  the  basement  of  the 
organization.  Why  is  that? 

Recently,  I  had  an  inter¬ 
esting  discussion  with  a 
number  of  seasoned  IT 
managers.  We  were  talking 
about  some  of  the  sage  ad¬ 
vice  that  is  often  given  to 
CIOs,  such  as  the  above  in¬ 
structions.  Eventually,  the 
topic  turned  to  what  I 
thought  was  a  good  ques¬ 
tion:  How  much  control  does  the  typi¬ 
cal  CIO  really  have  over  his  destiny? 

I  look  at  this  as  a  sort  of  nature  vs. 
nurture  question.  Nature  vs.  nurture 
has  to  do  with  how  much  of  one’s  be¬ 
havior  and  personality  is  predeter¬ 
mined  by  genetics  and  how  much  is 
shaped  by  environmental  factors.  Ap¬ 
plied  to  the  destiny  of  CIOs,  nature  vs. 
nurture  is  a  way  to  look  at  how  much 
of  a  CIO’s  success  depends  on  his  per¬ 
formance  and  how  much  is  predeter¬ 
mined  by  the  attitude,  culture  and 
strategy  of  the  firm  in  which  he  works. 

Advice  to  CIOs  (including  that  given 
in  my  own  column)  almost  always  im¬ 
plies  that  the  CIO  is  the  master  of  his 
destiny.  All  he  has  to  do  is  be  a  highly 
competent  technologist,  become  a 
savvy  business  person  and  forge  suc¬ 
cessful  relationships  with  other  busi¬ 


ness  executives.  Then  IT 
becomes  strategic,  and  the 
CIO  gallops  off  to  success. 

This  would  be  a  good 
scenario,  but  intuition  and 
our  own  experiences  tell 
us  that  this  is  not  always 
the  way  it  happens. 

I  have  talked  with  many 
CIOs  who  have  shared 
their  frustration  about 
some  of  the  roadblocks 
they  face  in  making  IT 
strategic  and  in  securing 
their  own  place  in  the  or¬ 
ganization.  These  road¬ 
blocks  often  include  the  following: 

■  The  CEO  or  CFO  (or  both)  doesn’t 
think  IT  is  strategic  and  is  unlikely  to 
be  persuaded  that  it  is. 

■  IT  has  always  been  seen  as  “over¬ 
head”  or  a  cost  center  in  the  company. 

■  The  corporate  executives  don’t 
really  understand  what  IT  does,  nor 
do  they  wish  to. 

Some  will  say  these  are  merely  cop- 
outs  —  ways  for  a  CIO  to  escape  his 
own  responsibility.  Certainly,  some 
CIOs  use  statements  like  these  to  ex¬ 
cuse  their  failure. 

But  I  think  that  some  CIOs  face  real 
roadblocks  that  virtually  nobody  could 
overcome.  For  example,  if  the  CEO  is 
convinced  that  IT  is  merely  a  utility  — 
or  worse,  a  necessary  evil  —  how  like¬ 
ly  is  it  that  even  a  good  CIO  can  con¬ 
vince  him  otherwise? 


BARBARA  GOMOLSKI,  a 

former  Compulerworld 


reporter,  is  a  vice  presi¬ 
dent  at  Gartner  Inc., 
where  she  focuses  on  IT 
financial  management. 

Contact  her  at 
barhgomolski@yahoo.com. 


I  suspect  that  the  majority  of  CIOs 
and  IT  managers  —  even  those  facing 
some  of  the  major  challenges  previ¬ 
ously  discussed  —  can  still  impact 
their  destiny.  But  a  smaller  percentage 
(perhaps  20%)  may  work  in  organiza¬ 
tions  where  the  attitude  toward  IT 
makes  it  almost  impossible  for  IT  to 
ever  be  seen  as  strategic. 

As  an  IT  professional  and  potential 
or  current  CIO,  you  need  to  think 
about  this  when  you  look  at  career  op¬ 
portunities.  If  you  want  a  seat  at  the 
executive  table  and  want  to  oversee  a 
strategic  IT  group,  you’d  better  make 
sure  that  the  CEO’s  attitude  and  the 
corporate  culture  support  that  ambi¬ 
tion.  Don’t  assume  that  you  can 
change  the  CEO’s  mind. 

Conversely,  if  you  are  content  to 
be  the  keeper  of  infrastructure  and 
head  of  an  IT  utility,  find  an  organiza¬ 
tion  where  that  vision  matches  the  top 
executive’s  idea  of  “great  IT.” 

Most  of  you  do  have  some  control 
over  your  destiny.  You  must  continue 
to  provide  reliable  and  low-cost  infra¬ 
structure  services  while  developing 
strong  relationships  with  business 
leaders.  You  must  help  the  business 
to  understand  how  it  can  use  IT  to 
accomplish  its  goals.  You  must  deter¬ 
mine  the  staffing  mix  that  will  help 
you  do  all  this. 

But  for  those  in  the  minority,  who 
have  little  or  no  control  over  your  des¬ 
tiny,  there’s  not  a  whole  lot  you  can  do 
except  understand  the  situation  you 
face.  And  you  might  want  to  look  for 
another  job.  ©  52995 


STACKED  DECK? 

Many  organizations  unwittingly  set  up  the  CIO  to  fail. 

Take  this  CIO  success  quiz  to  gauge  your  chances: 
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Want  our  opinion?  For  more  columns  and  links  to  our 

archives,  go  tt^Mrww.computerwo  rld.com/opinions 


JASON 
IT  DIRECTOR 
WEBEX  FANATIC 


sales  center 


training  center 


event  center 


support  center 


No  one  is  more  fanatical  about  secure  web  meetings  than  the  men  and  women  of  IT.  Their  solution  of  choice:  WebEx.  Every 
WebEx  meeting  application  runs  on  the  ultra-secure,  highly  scalable  and  proven  reliable  MediaTone™  network.  Unlike  other 
web  meeting  solutions  you  don't  install  MediaTone.  You  tap  into  it.  Nothing  even  touches  your  servers.  Low  impact.  High 
security.  And  an  interface  users  love.  Now  you  can  actually  please  all  of  the  people  all  of  the  time.  Secure  web  meetings 
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Who  was  selected  as  best  in  Bl? 


Siebel  Business  Analytics 
Best  Business  Intelligence  Application 
2004  RealWare®  Award  Winner 


Siebel  B  usiness  Analytics  received  the  most  prestigious  Bl  award  because  unlike 
traditional  Bl  vendors,  Siebel  meets  the  new  business  demands  of  enterprise  Bl. 
Siebel  delivers  richer,  real-time  intelligence  for  everyone  across  your  enterprise. 
Working  seamlessly  with  your  existing  systems  and  data  warehouses,  Siebel’s  mission- 
critical  Bl  architecture  supports  multi-terabytes  of  data  and  thousands  of  users. 
And  Siebel's  pre-built  solutions  embed  industry-specific  best  practices  that  are 
flexible,  quickly  implemented,  and  deliver  low  TCO. 

To  learn  more,  visit  www.siebel.com/realware 
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A  Good  Offense 

Tired  of  being  under  attack, 
IT  executives  like  Eric  Litt, 
chief  information  security 
officer  at  GM,  are  taking 
preventive  steps  to  head  off 
security  breaches.  Page  36 


Supersmart  Security 

Fresh  from  the  lab, 
these  intelligent  security 
systems  are  designed  to 
recognize  new  threats 
and  limit  damage. 

Page  46 
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OPINION 

Secure  the  People 

Most  companies  are 
overlooking  their  biggest 
security  hole  —  their  own 
people,  says  columnist 
Mark  Hall.  Page  50 


your  LAN  to  go  down,”  says  Ed  Amoroso, 
chief  information  security  officer  at  AT&T 
“You  need  to  be  looking  at  things  before  they 
become  a  problem.”  ©  52874 


Mitch  Betts  is  executive  editor  of  Computer- 
world.  He  can  be  reached  at  mitch_betts@ 
computerworld.com. 


Ask  an  it  executive 
whether  he’d  prefer  a 
proactive  security  stance  over  a 
reactive  one,  and  of  course  the  an 
swer  would  be  yes.  For  one  thing, 
it  just  sounds  better.  Plus,  it’s  not 
much  fun  being  reactive,  because  it  means 
cleaning  up  messes  like  thousands  of  virus- 
infected  PCs  and  explaining  the  nightmare  to 
the  boss. 

So  this  special  report  is  dedicated 
to  the  notion  that  it’s  better  to  be 
proactive  —  a  concept  that  seems 
obvious  but  is  very  new  in  the  IT 
security  field.  You’ll  learn  how  to 
buy  intrusion-prevention  systems, 
build  a  proactive  security  organiza¬ 
tion  and  bake  security  into  the 
application  development  process 
at  the  outset. 

But  no  security  organization  can 
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possibly  be 
100%  proactive 
“That  would  mean  that 
you  predict  every  possible 
threat  and  risk  to  your  orga¬ 
nization.  The  fact  is  that  you 
will  be  surprised  and  caught  off¬ 
guard  from  time  to  time,”  says  Doug 
Landoll,  CEO  of  IT  security  consultancy 
Veridyn.  In  other  words,  sometimes  you’ll 
have  no  choice  but  to  be  reactive, 
though  ideally  you  will  be  able  to 
quickly  identify  and  respond  to 
those  crises,  he  says. 

So  what  we’re  really  saying  is  that 
it’s  time  to  blend  some  proactive 
techniques  into  your  security  mix, 
which  is  what  forward-thinking 
companies  like  General  Motors  and 
AT&T  are  doing.  “You  just  cannot 
sit  back  any  longer  and  wait  for 
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We  are  in  a  competitive  stalemate  with  the  creators  of  malware.  What  we  are  trying 
to  do  is  gain  back  the  advantage,”  says  ERIC  HIT,  CISO  at  General  Motors. 
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overhaul  of  its  processes,  including  the 
manner  in  which  it  authenticates  users 
and  systems,  enforces  security  poli¬ 
cies,  controls  access  to  network  ser¬ 
vices,  patches  holes,  spots  intruders 
and  responds  to  incidents. 

It’s  a  mighty  task  for  a  $186  billion 
behemoth  with  global  operations, 
thousands  of  partners  and  tens  of 
thousands  of  users.  But  it’s  essential  in 
order  for  GM  to  stay  one  step  ahead  of 
the  bad  guys,  Litt  says. 

“We  are  in  a  competitive  stalemate 
with  the  creators  of  malware,”  Litt 
says.  “What  we  are  trying  to  do  is  gain 
back  the  advantage.” 

Lane  Timmons,  security  systems  an-  J 

alyst  at  Texas  Tech  University’s  med¬ 
ical  school  in  Lubbock,  says  a  key  to 
this  is  a  better  understanding  of  how 
your  company’s  networks  behave  nor¬ 
mally  so  you  can  spot  abnormal  activi¬ 
ty  more  quickly. 

After  getting  hammered  by  worms 
and  viruses  over  the  past  few  years,  i 

the  school  deployed  several  tools  to 
help  it  spot  and  squelch  attacks  more 
quickly  than  the  “hundreds  of  man- 
years  of  effort”  that  it  used  to  take, 

Timmons  says. 

Among  those  tools  is  the  network  j 

behavior  modeling  product  QRadar 
from  Q1  Labs  Inc.  in  Waltham,  Mass. 

The  software  analyzes  and  models  typ¬ 
ical  network  activity  over  a  set  period 
of  time  and  then  uses  that  data  as  a 
baseline  to  identify  abnormal  activity 
that  might  suggest  the  presence  of 
worms,  Trojans,  port  scans  or  denial- 
of-service  attacks. 

Such  behavior  modeling  has  dramat¬ 
ically  improved  the  university’s  ability 
to  detect  and  respond  to  both  internal 
and  external  intrusions,  Timmons 
says.  “Our  ability  to  do  a  real-time 
analysis  of  our  networks  has  made  a 
big  difference,”  he  says. 

Actionable  Data 

Integrating  and  correlating  informa¬ 
tion  from  multiple  security  technolo¬ 
gies  is  also  crucial  to  enabling  a  more 
holistic  view  of  the  threats  and  vulner¬ 
abilities  facing  a  corporate  network, 
says  Amoroso. 

To  this  end,  AT&T  is  retiring  all  of 
its  individual  Internet-facing  firewalls, 
intrusion-detection  systems  and  anti¬ 
virus  tools  and  is  integrating  the  func-  -  ■ 

tions  into  its  IP  backbone  layer.  The 
company  has  built  a  massive  security 
event  management  system,  called  Au¬ 
rora,  that’s  capable  of  pulling  in  and 
correlating  terabytes  of  network  traffic 
and  security  data  from  the  IP  layer. 

The  data  analysis  allows  AT&T  to 

Continued  on  page  38 
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Offense 


Eric  litt,  chief  information 
security  officer  at  General 
Motors  Corp.,  calls  it  “man¬ 
agement  by  inclusion.” 

Simply  put,  it’s  an  informa¬ 
tion  security  strategy  that  reduces 
operational  risk  by  denying  network 
access  and  services  to  all  people  and 
processes  not  previously  vetted  by  the 
company.  “If  I  don’t  know  you’re  good, 
I  don’t  talk  to  you,”  Litt  says. 

Litt  is  one  of  a  growing  number  of 
security  managers  who  say  traditional 
reactive  defenses  —  focused  on  block¬ 
ing  known  threats  at  the  edge  of  the 
network  perimeter  —  are  no  longer 
enough.  What’s  needed  are  more- 
proactive  security  capabilities  that 
emphasize  quicker  identification  and 
resolution  of  both  internal  and  exter¬ 
nal  threats. 

“You  just  cannot  sit  back  any  longer 
and  wait  for  your  LAN  to  go  down  or 
for  your  employees  to  complain,”  says 
Ed  Amoroso,  CISO  at  AT&T  Corp. 

“You  need  to  be  looking  at  things  be¬ 
fore  they  become  a  problem.” 

Several  factors  are  driving  this  trend 
toward  more-strategic  security  opera¬ 
tions.  Laws  such  as  the  Sarbanes-Oxley 
Act  have  put  a  greater  burden  on  com¬ 
panies  to  demonstrate  due  diligence 
on  matters  related  to  information 
security.  Worms,  viruses,  spyware 
and  other  types  of  malicious  code  are 
getting  a  lot  better  at  sneaking  past 
firewalls,  antivirus  defenses  and  intru¬ 
sion-detection  mechanisms.  And 
growing  wireless  use,  remote  workers 
and  the  trend  toward  Web  services  are 
giving  hackers  more  avenues  for 
launching  attacks. 

Another  important  fact:  The  time  it 
takes  for  hackers  to  exploit  software 
holes  has  been  shrinking  dramatically, 
giving  users  very  little  time  to  react  to 
new  threats.  The  SQL  Slammer  worm 
of  2003  took  eight  months  to  appear 
after  the  flaw  it  exploited  was  first 
publicized.  In  contrast,  last  year’s 
MyDoom  worm  started  making  the 
rounds  in  less  than  four  weeks. 

“It’s  getting  so  nasty  out  there,  it’s 
frightening,”  Amoroso  says. 

To  achieve  its  goal  of  more-proactive 
security,  GM  launched  a  sweeping 
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Continued  from  page  36 
spot  trends  and  signs  of  impending 
trouble  far  better  than  the  fragmented 
view  provided  by  the  individual  secu¬ 
rity  technologies,  Amoroso  says. 

“It  gives  us  real  actionable  data,  to  re¬ 
spond  to  threats”  before  they  material¬ 
ize  into  full-fledged  problems,  he  says. 

Prep  Work 

Being  proactive  also  means  ensuring 
that  security  is  built  into  your  applica¬ 
tion  software  and  not  bolted  on  later, 
says  Mary  Ann  Davidson,  CISO  at  Ora¬ 
cle  Corp. 

Customers  should  ask  vendors  ques¬ 
tions  about  their  security  practices, 
Davidson  says.  Questions  should  in¬ 
clude,  “How  do  you  write  secure  code? 
Do  you  train  your  devel¬ 
opers  for  that?  Do  you  do 
ethical  hacking  to  test 
your  code?  How  are  you 
making  it  easier  for  your 
customers  to  secure  your 
code?  What  is  the  best 
practice  for  locking  down 
your  product?”  she  says. 

What’s  crucial  at  GM, 
says  Litt,  is  “making  sure  the  code  we 
get  is  really  secure  out  of  the  box  and 
that  the  vendors  are  not  making  us  a 
testbed  for  their  software.”  That’s  be¬ 
cause  a  majority  of  the  security  prob¬ 
lems  companies  are  facing  today  are 


the  direct  result  of  software  bugs  that 
hackers  are  exploiting.  Litt  is  working 
with  several  influential  industry  and 
user  groups  to  pressure  vendors  to  pay 
more  attention  to  security. 

“We  are  trying  to  use  our  combined 
voices  to  drive  the  software  industry  to 
think  about  security  in  a  different  way,” 
says  Litt,  who  for  years  has  been  in¬ 
cluding  strict  security  terms  and  con¬ 
ditions  in  all  of  GM’s  software  pur¬ 
chasing  contracts. 

GM  is  also  applying  the  same  con¬ 
cept  to  the  software  it  develops  in- 
house.  The  company  has  instituted 
“toll  gates”  for  reviewing  security  at 
various  stages  in  the  product  develop¬ 
ment  life  cycle  “even  before  the  first 
line  of  code  is  written,”  Litt  says. 

In  the  end,  however, 
there’s  a  limit  to  just  how 
proactive  you  can  be,  says 
Lloyd  Hession,  CISO  at 
Radianz  Inc.,  a  New  York- 
based  provider  of  tele¬ 
communications  services 
to  financial  companies. 

“One  of  the  key  issues  is 
that  we  can’t  really  figure 
out  what  the  next  threat  scenario  is  go¬ 
ing  to  be,”  he  says.  “A  year  ago,  for  ex¬ 
ample,  nobody  was  up  and  jumping 
over  spyware.  It’s  kind  of  suboptimal 
to  want  corporate  commitment  and  re¬ 
sources  to  be  deployed  today  if  you 


SNIFF  OUT  TROUBLE 

Robert  J.  Shimonski,  author  of 
the  Sniffer  Network  Optimization 
and  Troubleshooting  Handbook, 
offers  tips  for  properly  assessing 
your  risk  of  a  network  attack: 

O  QuickLink  a5610 
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Time  Is  of  the  Essence 


Advance  warning  can  be  useful  in  pre¬ 
paring  and  prioritizing  defenses,  says 
Lloyd  Hession,  CISO  at  New  York-based 
telecommunications  provider  Radianz. 
Last  May,  for  example,  his  company  re¬ 
ceived  advance  information  on  a  critical 
protocol  vulnerability  in  its  voice-over- 
IP  networks  that  received  little  of  the 
broad  attention  that  worms  and  viruses 
do  but  was  vital  to  fix  nonetheless, 
Hession  says. 

Radianz  was  notified  of  the  vulnerabili¬ 
ty  by  its  security  intelligence  service  from 
Symantec  Corp.,  which  it  uses  to  monitor 
impending  threats  to  its  security.  Syman¬ 
tec's  DeepSight  threat  management  sys¬ 
tem  collects  data  from  firewall  and  intru¬ 
sion-detection  systems  from  about 
20,000  sensors  placed  on  customer  net¬ 
works  around  the  world  and  looks  for  pat- 


don’t  know  what  it  is  being  deployed 
to  really  stop.” 

Instead,  the  goal  should  be  to  better 
prepare  yourself  for  attacks,  Hession 
says.  And  that  means  being  able  to 
identify  threats  early,  have  a  good  inci¬ 
dent-response  and  backup  process  in 
place  and  ensure  that  there  is  no  “skills 
mismatch”  between  your  security  team 


terns  suggesting  worm  or  virus  attacks. 

Ensuring  that  all  internal  and  external 
systems  attempting  access  to  a  corporate 
network  have  the  proper  security  configu¬ 
rations  can  prevent  otherwise  secure  net¬ 
works  from  being  compromised  by  rogue 
machines.  So,  too,  can  timely  patching, 
says  Tim  Powers,  senior  network  adminis¬ 
trator  at  Southwire  Co.,  a  Carrollton,  6a.- 
based  maker  of  electrical  wires  and  cables. 

“This  is  a  game  where  we  used  to  have  a 
few  weeks  to  prepare.  Now,  days  matter," 
says  Powers,  who  is  using  an  automated 
patch  management  tool  from  South  Jor¬ 
dan,  Utah-based  LANDesk  Software  Inc. 
to  test  and  deploy  patches  across  his  net¬ 
work.  “It’s  about  doing  it  better  and  faster 
and  just  lowering  the  time  between  getting 
patches  and  getting  updated." 

-JaikumarVijayan 


and  the  attackers  when  the  attacks  do 
come,  he  says. 

“There  is  no  silver-bullet  technology 
or  singular  process  change”  for  ad¬ 
dressing  this  problem,  Litt  says.  The 
goal  should  be  to  “social-engineer 
security  into  your  processes  versus 
putting  it  in  as  an  afterthought,”  he 
says.  ©  52584 


Technology  vendors  are  pitching  a  variety  of  tools 
and  approaches  to  help  companies  better  pre¬ 
pare  for  attacks.  Among  them  are  the  following: 

INTRUSION-PREVENTION  SYSTEMS 

These  products,  evolved  from  network  intrusion- 
detection  systems,  help  companies  block  both 
known  and  unknown  attacks.  Most  products  in  this 
class  work  by  looking  for  known  virus  signatures  and 
anomalous  network  behavior  that  might  indicate  the 
presence  of  a  worm  or  virus.  See  “Erecting  Barriers" 
on  page  42  for  more  on  intrusion-prevention  systems. 

■  UnityOne  IPS,  TippingPoint  Technologies 
Inc.,  Austin  (a  division  of  3Com  Corp.) 

WHAT  IT  DOES:  In  addition  to  identifying  and 
blocking  threats,  the  tool  supports  traffic  classifi¬ 
cation  and  rate-shaping  functions  for  high-priority 
applications. 

*  Attack  Mitigator  IPS  5500, 

Top  Layer  Networks  Inc., 

Westboro,  Mass. 

WHAT  IT  DOES:  The  ASIC-based  hardware 
appliance  is  designed  to  deal  with  content-based 
attacks,  such  as  worms  and  Trojan  horses,  as  well 


as  rate-based  attacks,  such  as  distributed  denial- 
of-service  attacks. 

■  Juniper  IDP,  Juniper  Networks  Inc., 
Sunnyvale,  Calif. 

WHAT  IT  DOES:  It’s  a  rules-based  intrusion- 
detection  and  -prevention  tool. 

■  Proventia,  Internet  Security  Systems  Inc., 
Atlanta 

WHAT  IT  DOES:  This  appliance  has  more  than 
225  built-in  rules  for  detecting  and  blocking 
hybrid  threats. 

ENDPOINT  SECURITY  PRODUCTS 

These  ensure  that  endpoint  devices,  such  as  PCs, 
notebooks  and  handhelds,  have  appropriate  pro¬ 
tections  in  place,  including  active  firewalls  and 
updated  antivirus  software  and  patches,  before 
letting  the  devices  access  a  corporate  network. 


■  Check  Point  Integrity,  Zone  Labs  LLC, 

San  Francisco  (a  unit  of  Check  Point  Software 
Technologies  Ltd.) 

WHAT  IT  DOES:  It  combines  PC  firewall  tech¬ 
nology  with  central  policy  management  and  poli¬ 
cy-based  enforcement  on  endpoint  devices. 

■  Secure  Enterprise,  Syyate  Inc., 

Fremont,  Calif. 

WHAT  IT  DOES:  It  combines  endpoint  agent 
technology  with  policy  management  servers. 
LAN-based  enforcement  servers  and  remediation 
capabilities. 

■  CyberGatekeeper,  InfoExpress  Inc., 
Mountain  View,  Calif. 

WHAT  IT  DOES:  This  product  suite  combines 
functions  for  monitoring  and  enforcing  security 
policies  on  local  and  remotely  connected 
systems. 


■  Cisco  Security  Agent,  Cisco  Systems  Inc. 
WHAT  IT  DOES:  This  software  combines  host 
intrusion-prevention  functions  with  spyware/ 
adware  protection  and  host  firewall  and  operating 
system  integrity  assurance. 


SECURITY  INCIDENT/EVENT 
MANAGEMENT  TECHNOLOGIES 

This  class  of  products  is  used  by  companies  to 
gather,  consolidate  and  analyze  information  from 
multiple-point  technologies  such  as  firewalls. 


antivirus  products  and  intrusion-detection  sys¬ 
tems.  The  goal  is  to  enable  better  identification 
and  response  to  key  security  incidents.  For  more 
on  this  topic,  go  to:  ©  QuickLink  52131. 

■  Security  Manager,  NetlQ  Corp., 

San  Jose 

WHAT  IT  DOES:  It  consolidates  data  from 
acr  oss  the  enterprise  network  and  ( 
event  correlation,  visualization,  1 
forensics  to  help  companies  get  a  r 
picture  of  their  security. 


ArcSight  Inc.,  Cupertino,  Calif. 

WHAT  IT  DOES: 

mation  from  multiple  devices,  including  asset  val¬ 
ue  and  vulnerability  data.  It  also  supports  auto-  - 
mated  investigation  and  resolution  of  problems. 

■  nFKI 

NetForensics  Inc.,  Edison,  N.J. 

WHAT  IT  DOES:  Its 
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Catch  flaws  at  the  application 
development  stage  to  avoid  costly 
breaches.  By  Heather  Havenstein 


IT’S  A  problem  at  many  organiza¬ 
tions  today:  Developers  are  so  nar¬ 
rowly  focused  on  quickly  building 
feature-rich  applications  that  se¬ 
curity  becomes  an  afterthought. 
The  task  of  securing  those  applica¬ 
tions  is  often  left  to  others  —  tradition¬ 
ally,  systems  administrators  who  can 
wield  firewalls,  intrusion-detection 
software  and  other  weapons  at  the  net¬ 
work  perimeter  after  the  applications 
have  been  deployed. 

“The  industry  has  been  treating  se¬ 
curity  as  a  perimeter  issue  —  keep  the 
bad  guys  out  [of]  the  castle,  and  every¬ 
thing  is  fine,”  says  James  Whittacker, 
co-founder  of  Security  Innovation  Inc., 
a  Boston-based  company  that  provides 
security  assessment  and  testing  ser¬ 
vices.  “The  bad  guys  get  in,  or  they  are 
already  in  [because]  they  are  employ¬ 
ees  at  our  company.  The  lion’s  share  of 


the  burden  falls  on  application 
developers  to  make  sure  it’s 
not  their  application  that 
is  the  entry  point  for  a 
breach.” 

Yet  few  organizations 
have  standardized  efforts 
to  address  security  inside 
the  perimeter,  says  Ron 
Exler,  director  of  research 
operations  at  Robert 
Frances  Group  Inc.  in 
Westport,  Conn. 

Finding  a  Fix 

According  to  research 
firm  Gartner  Inc.,  al¬ 
though  many  companies 
have  made  significant  in¬ 
vestments  in  tools  to  se¬ 
cure  production  applica¬ 
tions,  fixing  security  flaws 
prior  to  production  can  generate 
significant  cost  savings.  If  50%  of  vul¬ 
nerabilities  were  removed  before  pro¬ 
duction  of  purchased  and  internally 
developed  software,  enterprise  con¬ 
figuration  management  costs  and  inci¬ 
dent-response  costs  could  be  reduced 
by  75%  each,  Gartner  says. 

To  do  it  right,  companies  need  to 
write  a  business  application  profile 
and  a  user  application  profile  as  part 
of  the  development  process,  says  Exler. 
A  business  application  profile  details 
what  an  application  does  and  its  vari¬ 
ous  components.  A  user  application 
profile  lays  out  the  likely 
users  of  the  application 
and  how  they  will  be 
using  it. 

“Security  definitely 
ties  into  both  the  applica¬ 
tion  and  the  users,”  Exler 
says.  “As  you  are  devel¬ 


MAKE  VENDORS  PAY 

Opinion:  Want  more-secure 
applications?  Then  make  software 
vendors  liable  for  the  holes  in  their 
products,  says  Bruce  Schneier,  CTO 
at  Counterpane  Internet  Security: 
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oping,  you  need  to  be  cognizant  of  how 
the  application  is  going  to  be  used  and 
the  flow  of  it.” 

After  the  profiles  are  completed,  IT 
security  people  can  be  brought  in  to 
analyze  the  security  scenarios  of  these 
profiles.  “You  can  see  the  potential 
weaknesses  in  the  application,  in  the 
user  workflow,  and  then  you  can  see 
where  you  can  build  protections,” 

Exler  says. 

The  testing  and  quality  assurance 
phases  also  should  include  a  focus  on 
security.  An  application  that  doesn’t 
meet  security  requirements  should  be 
considered  defective,  just  like  an  appli¬ 
cation  that  has  errors  or  bugs  that  result 
in  performance  problems,  says  Exler. 

But  even  more  important  is  to 
change  the  “code  and  go”  mind-set  of 
developers.  “If  security  needs  to  be 
raised  in  importance  in  the  application 
development  process,  it  should  be  part 
of  the  developer’s  performance  plan, 
just  like  showing  up  on  time  or  writing 
code  with  fewer  errors,”  Exler  explains. 

Finally,  companies  should  also  be 
scrutinizing  the  security  practices  of 
their  IT  vendors.  Exler  suggests  that 
companies  add  compliance  with  secu¬ 
rity  requirements  as  part  of  service- 
level  agreements. 

Rigorous  Review 

Blue  Cross  and  Blue  Shield  of  Massa¬ 
chusetts  Inc.  has  already  ramped  up 
efforts  to  infuse  the  company’s  appli¬ 
cation  life  cycle  with  preemptive  secu¬ 
rity  efforts. 

Beginning  with  the  technical  design 
and  review  phase  for  new  applications, 
the  company  evaluates  for  security 
risks  and  builds  steps  into  the  design 
and  documentation  that  are  aimed  at 
eliminating  potential  holes,  says  Frank 
Enfanto,  vice  president  of  operations 
delivery  and  information  security  at 
the  Boston-based  health  care  organiza¬ 
tion.  For  example,  it  might  use  domain 
modeling  or  add  permission-  or  role- 
based  access  to  secure  code,  he  says. 

“We  try  to  ensure  we  are  consistent 
from  project  to  project.  That  gives  us  a 
certain  level  of  guidelines  for  develop¬ 
ers  to  use,”  Enfanto  says.  “We  also  pro¬ 
vide  [developers]  with  certain  coding 
standards  that  help  mitigate  general 
security  risks.” 

Blue  Cross  conducts  negative  appli¬ 
cation  testing  to  try  to 
find  security  flaws  that 
could  allow  unautho¬ 
rized  access  to  an  appli¬ 
cation  once  it’s  de¬ 
ployed.  The  organization 
also  scans  its  applica¬ 
tions  with  intrusion- 


Test  It 
Or  Toss  It 

AT  PENTAIR  INC.,  a  Golden  Val¬ 
ley,  Minn.-based  water  treatment 
and  storage  product  company, 
vendors  are  required  to  submit 
their  Web  application  or  hosting 
products  to  be  scanned  for  secu¬ 
rity  vulnerabilities  by  SPI  Dynam¬ 
ics  Inc.’s  Weblnspect  tool. 

“If  they  don’t  allow  us  to  run 
the  tool  and  find  the  vulnerabili¬ 
ties,  I  am  not  interested  in  allow¬ 
ing  them  to  host  my  data,”  says 
Paul  Samadani,  Pentair’s  director 
of  corporate  IT.  “We’ve  been  able 
to  eliminate  products  or  tell  them 
they  have  to  go  back  and  fix  a 
product  that  had  issues.” 

The  tool  was  designed  to 
identify  vulnerabilities  within 
the  Web  application  level  at  all 
phases  of  the  application  life 
cycle,  including  development, 
quality  assurance,  production 
and  auditing. 

For  internal  development, 
Pentair  uses  Weblnspect  to  check 
any  changes  to  code  or  new  code 
developed  for  Web  applications. 

In  addition,  the  company  has  cus¬ 
tomized  the  product  to  ensure 
compliance  with  internal  security 
policies. 

The  cost-benefit  analysis  for 
these  tools  is  similar  to  that  for 
buying  perimeter  tools,  according 
to  companies  that  have  made  the 
leap  to  building  security  protec¬ 
tion  into  their  applications. 

“You  can  recover  the  cost  of 
the  technology  on  one  mistake 
that  you  find,"  Samadani  says. 
“Within  seconds,  someone  will 
find  that  vulnerability,  and  you 
won’t  even  know  about  it  until  the 
information  is  gone.  The  cost  if  all 
your  intellectual  property  leaks 
out  is  tremendous." 

-  Heather  Havenstein 


detection  technology  to  identify  po¬ 
tential  security  holes  in  the  code,  but 
those  types  of  tools  are  immature  and 
return  a  lot  of  false  positives,  accord¬ 
ing  to  Enfanto. 

“Our  approach  is  not  to  just  tell 
the  coders  to  do  this  and  test  it  and 
assume  we  are  OK,”  Enfanto  says. 
“Whatever  you  are  doing  in  develop¬ 
ment  and  design,  you  are  doing  it  in  a 
pristine  and  clean  environment.  It  is 
not  the  real  world  until  it  is  deployed.” 
0  52583 


WE  KEEP  YOUR  PEOPLE  MOVING 
WITHOUT  SHAKING  THINGS  UP 
AT  THE  OFFICE. 


Soon,  over  99  million  employees  worldwide  will  be  working  outside  the  office.1  Is  your  communications 


infrastructure  ready?  It  will  be  with  Avaya  IP  Telephony.  Give  your  employees  the  capability  to  work  from  the 


IP  Telephony 


Contact  Centers 


Mobility 


VAvak 


road,  at  home,  anywhere  — with  advanced  solutions  that  are  easy  to  use  and  simple  to  maintain. 

Keep  your  existing  network  up  and  running.  Avaya  lets  you  leverage  your  existing  technology  in  a  multi-vendor 
environment,  so  you  can  migrate  your  IP  deployment  with  confidence. 

Secure?  Absolutely.  Our  industry-leading,  end-to-end  media  encryption  protects  each  IP  call.  Avaya  experts  help 
you  design,  seamlessly  implement,  manage,  and  maintain  your  network  for  fully  optimized  performance.  As  the 
award-winning  leader  in  IP  telephony,2  and  with  our  unique  approach  of  embedding  communications  at  the  heart 
of  your  business,  Avaya  is  the  perfect  partner  to  help  keep  your  people  connected,  no  matter  where  they  are. 


GET  STARTED  AT  WWW.AVAYA.COM/MOVING-WITH  A  FREE  WHITE  PAPER 
“BEST  PRACTICES  FOR  IP  DEPLOYMENT  IN  A  MULTI-VENDOR  ENVIRONMENT.” 

Or  call  1-866-697-5566  to  speak  to  a  representative. 
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There  are  two  approaches  to  fighting 
viruses:  prevention  or  cure.  With  net¬ 
works,  you  can  use  an  intrusion-detection 
system  (IDS)  to  tell  you  when  there  is  a 
problem  or  an  intrusion-prevention  sys¬ 
tem  (IPS)  to  block  it  in  the  first  place. 

The  Weather  Channel  Interactive  Inc.  in  Atlanta, 
for  example,  picked  up  suspicious  activity  via  an  IDS. 
For  several  days  in  a  row,  it  detected  a  high  amount  of 
traffic  coming  in  for  a  specific  server  port  from  1  a.m. 
to  3  a.m.  “My  concern  was  that  if  it  was  a  probing  at-  - 
tack  and  they  were  doing  it  off  shift,  I  had  to  watch 
out  for  when  they  did  a  real  attack  during  prime  shift,” 
says  Dan  Agronow,  vice  president  of  technology. 

This  kind  of  after-the-fact  probing  is  like  using  a 
thermometer  to  confirm  that  you  are  indeed  running 
a  fever  —  much  too  late  to  prevent  infection.  The 
Weather  Channel  wanted  to  be  able  to  react  quicker 

Continued  on  page  44 


Intrusion-prevention 
systems  don’t  just 
tell  you  there  may 
be  an  attack — they 
block  it.  By  Drew  Robb 

Erecting 
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Your  business  deserves  the  best  protection  you  can  get:  Data  Media  from  Sony.  Our  A3MP  Advanced  Alloy 
Armored  Metal  Particle  technology  resolutely  guards  your  data  on  our  new  LTCT  Ultrium'”  3  cartridge. 
And  our  Super  Orientation  technology  optimizes  every  1  and  0.  Sony  offers  the  same  level  of  vigorous  data 
protection  in  all  of  our  half-inch  data  storage  formats.  Sony  even  protects  your  peace  of  mind  with  our 
Media  Suite"  services  —  including  bar  coding,  training,  transfer  and  migration,  and  workmanship  limited 
warranty  —  to  increase  your  productivity  and  protect  your  most  valuable  information.  Plus,  our  Storage 
Rewards5"  customer  loyalty  program  enhances  your  bottom  line  with  valuable  assets  and  incentives.  So 
protect  your  business  and  protect  yourself.  With  Sony  Data  Media. 


For  more  information  on  Media  Suite  services  and  our  Storage  Rewards  program, 
visit  WWW.S0NY.COM/LT03.  Register  today  for  our  free  web-based  LT03  training 
and  receive  a  free  LT03  cartridge  when  you  complete  your  training! 
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Continued  from  page  42 

and  keep  up  with  the  latest  attack  patterns  happen¬ 
ing  on  the  Internet.  It  installed  UnityOne  1200  intru¬ 
sion-protection  appliances  from  TippingPoint  Tech¬ 
nologies  Inc.  in  Austin.  “Now  when  we  get  attacked, 
we  have  the  forensic  information  we  need  and  the 
ability  to  block  it,”  says  Agronow. 

Block  and  Tackle 

Intrusion  protection  is  one  aspect  of  a  complete 
defense-in-depth  strategy.  It  supplements  but  doesn’t 
replace  other  layers  already  in  place.  , 

“Don’t  think  that  these  products  are  something 
that  will  eliminate  the  need  for  spam  filters,  personal 
firewalls  or  whatever  else  you  are  using,”  says  Brian 
Philips,  director  of  security  at  Network  Systems 
Technology  Inc.  in  Naperville,  Ill.,  which  provides 
managed  networking,  storage  and  security  services. 
“IPS  is  part  of  a  defense-in-depth  strategy,  not  a  re¬ 
placement  for  what  you  already  have.” 

IPSs  address  some  of  the  shortcomings  that  be¬ 
came  apparent  as  companies  deployed  IDSs.  While 
the  latter  tell  you  there  may  be  an  attack,  the  former 
seek  to  block  it.  In  that  sense,  an  IPS  is  similar  to  a 
firewall,  but  it  takes  the  opposite  approach. 

“Firewalls  and  network  IPS,  though  they  appear  to 
be  very  close  to  each  other,  are  complementary  but 
very  distinct  products,”  says  Greg  Young,  an  analyst 
at  Gartner  Inc.  “Firewalls  block  everything  except 
what  you  explicitly  allow  through;  an  IPS  lets  every¬ 
thing  through  except  what  it  is  told  to  block.” 

The  biggest  concern  with  setting  up  an  IPS  is  the 
problem  of  false  positives:  mislabeling  legitimate 
traffic  as  malicious.  Unlike  an  IDS,  which  sits  off  to 
the  side  and  alerts  only  when  it  detects  a  potential 
problem,  an  IPS  sits  in-line  and  actively  blocks  traf¬ 
fic.  Although  vendors  have  gotten  better  with  their 
identification  algorithms,  they  are  far  from  perfect. 

“False  positives  are  still  a  huge  problem,  so  much 
so  that  it  severely  affects  the  value  proposition  of  an 
IDS  or  IPS,”  says  Paul  Stamp,  an  analyst  at  Forrester 
Research  Inc.  “Users  are  still  really  fearful  that  their 
IPS  will  end  up  effectively  performing  a  denial-of- 
service  attack  on  their  infrastructure.” 

To  get  around  this,  most  devices  are  designed  for  a 
three-phase  deployment.  Philips  describes  the  steps 


State  of  the  Market 

Broadly  speaking,  there  are  two  types  of  IPS: 
NETWORK-BASED  AND  HOST-BASED.  A  net¬ 
work  IPS  is  a  device  that  performs  a  deep  in¬ 
spection  of  packets  as  they  come  through,  even 
reassembling  them  to  examine  the  entire  com¬ 
munication  before  passing  them  along. 

There  are  three  types  of  vendors  in  this  area: 

1.  Pure-play  IPS  vendors,  such  as  TippingPoint. 

2.  IDS  companies,  such  as  Internet  Security 
Systems  Inc.,  which  are  expanding  their  func¬ 
tionality  to  include  blocking. 

3.  Firewall  makers,  such  as  Check  Point  Soft¬ 
ware  Technologies  and  NetScreen  Technologies, 
which  are  adding  deep  packet-inspection  func¬ 
tions  to  create  “next-generation”  firewalls. 

In  addition,  IPS  functions  are  being  added  to 
other  network  devices.  For  example,  Juniper 
Networks  Inc.  acquired  NetScreen  last  year,  and 
3Com  Corp.  purchased  TippingPoint,  so  you  can 
expect  to  see  the  added  security  technologies 
incorporated  into  the  parent  firms’  networking 
gear  to  block  suspect  traffic. 

A  host-based  IPS,  on  the  other  hand,  is  soft¬ 
ware  rather  than  an  appliance  and  comes  from 
different  vendors.  Gartner  analyst  Greg  Young 
says  host-based  intrusion  prevention  for  servers  is 
a  mature  technology,  but  he  advises  companies  to 
hold  off  for  now  on  deploying  it  on  the  desktop. 

-Drew  Robb 


he  took  to  set  up  a  Sensitivist  500  IPS  from  NFR  Se¬ 
curity  Inc.  in  Rockville,  Md.,  for  the  Multiple  Listing 
Service  that  Florida  real  estate  agents  use  to  share 
property  information.  It  took  10  minutes  to  install  the 
equipment  and  load  some  IP  addresses  for  reporting. 
The  box  then  operated  in  bypass  mode,  which  means 
it  didn’t  block  anything. 

“We  started  by  having  it  stop  nothing,  tag  every¬ 
thing  and  then  start  turning  stuff  on,”  he  says. 

Tuning  took  place  over  the  next  eight  hours.  Dur¬ 


ing  the  second  phase,  the  IPS  still  didn’t  block  any¬ 
thing,  but  it  generated  reports  of  what  it  would  have 
blocked.  Philips  then  reviewed  this  data  and  decided 
whether  he  wanted  the  IPS  to  block  that  type  of  traf¬ 
fic.  The  third  step  was  to  activate  the  IPS,  using  the 
rules  Philips  had  established.  He  then  scheduled  two 
other  follow-up  sessions  to  further  tune  the  blocking. 

Young  suggests,  however,  that  one  way  to  avoid 
false  positives  is  to  avoid  tightening  down  rules  too 
much.  Although  this  means  that  some  malicious  traf¬ 
fic  will  get  through,  this  approach  still  has  value. 
“There  is  incredible  value  to  be  gained  just  from 
blocking  the  clearly  bad  stuff,”  he  says.  “Then  they 
can  learn  more  about  the  gray  areas  and  decide  what 
else  they  want  to  stop.” 

A  Step  Beyond 

Improved  security  isn’t  the  only  benefit  from  in¬ 
stalling  an  IPS.  Matt  Merritt,  vice  president  of  opera¬ 
tions  at  Beal  Service  Corp.  in  Plano,  Texas,  which 
provides  administrative  support  to  other  units  of 
Beal  Financial  Corp.,  installed  TippingPoint  Unity- 
One  2400  units  as  part  of  complying  with  regulatory 
requirements  governing  protection  of  customer  in¬ 
formation.  But  he  also  found  that  it  cut  down  the  load 
on  the  rest  of  the  network.  “The  overall  performance 
on  our  network  has  generally  improved,  due  in  part  to 
TippingPoint’s  traffic  normalization  feature,  which 
filters  out  bad  or  malformed  packets,”  he  says. 

The  University  of  Georgia’s  chief  information  se¬ 
curity  officer,  Stan  Gatewood,  reports  that  putting  in 
an  IPS  allowed  him  to  see  what  was  on  the  network 
and  gain  better  control.  “When  we  took  a  look  at  the 
network,  we  were  shocked  at  the  protocols  that  were 
running  around  out  there,”  he  says.  “We  can  now  nar¬ 
row  it  down  to  the  standards  and  protocols  we  will 
support  and  block  the  rest.” 

However,  although  these  added  benefits  have  val¬ 
ue,  the  primary  advantage  is  still  the  ability  to  block 
threats  at  the  gateway,  so  the  other  layers  don’t  need 
to  deal  with  them. 

“There’s  no  reason  to  let  Blaster  into  the  network,” 
says  Gartner’s  Young.  ©  52264 


Robb  is  a  Computerworld  contributing  writer  in  Los 
Angeles.  Contact  him  at  drewrobb@sbcglobal.net. 


Five  Tips  for 
Selecting  an  IPS 

STAN  GATEWOOD,  chief  information  security  officer 
at  the  University  of  Georgia  in  Athens,  uses  IPSs  both 
at  the  Internet  gateway  and  at  several  points  in  his  own 
network.  He  uses  appliances  at  the  gateway  scaled 
to  process  the  more  than  2Gbit/sec.  that  pass  through 
that  point. 

Gatewood  won’t  disclose  which  model  the  university 
is  using  for  edge  protection,  other  than  to  say  that  it 
comes  from  either  McAfee  Inc.,  TippingPoint  or  Syman¬ 
tec  Corp.  -  the  three  vendors  whose  products  could 
process  that  much  traffic.  Internally,  however,  Gatewood 
needs  only  100MB  of  capacity,  so  he  uses  several  in¬ 
stances  of  Sleuth9  software  from  DeepNines  Inc.  in 


Dallas  on  a  Sun  Microsystems  Solaris  platform. 

Gatewood  offers  the  following  five  criteria  he  used  to 
decide  which  systems  to  install: 

1  PERFORMANCE.  Since  an  IPS  runs  in-line,  it  must 
be  able  to  analyze  all  the  packets  passing  through  it 
without  overloading.  “We  needed  to  make  sure  that  it 
would  stand  up  to  our  bandwidth  and  not  disrupt  network 
operations,"  he  says.  “You  will  find  that  a  lot  of  vendors 
will  fall  off  once  you  start  talking  about  traffic  in  the  gigabit 
range.” 

2  BLOCKING  ALGORITHMS.  The  systems  need  to  use 
multiple  algorithms  -  signatures,  behavior  and  policies 
-  to  block  malicious  actions. 

3  ANALYTICS.  It  must  have  some  intelligence  built  in 
to  tell  the  difference  between  a  normal  event  and 
an  attack. 


4  REPORTING.  “We  must  be  able  to  quantify  the  usage 
of  the  IPS  and  generate  both  technical  and  executive 
reports  to  show  it  is  indeed  working  for  us,"  says  Gate- 
wood. 

5  INTERFACE.  It  needs  to  have  a  graphical  user  inter¬ 
face  and  a  low  learning  curve  for  the  IPS  administra¬ 
tor.  “We  absolutely  need  it  to  be  as  intuitive  as  possible  so 
we  can  have  it  up  and  running  and  effective  as  soon  as 
possible,"  he  says. 

Gartner  analyst  Greg  Young  agrees  that  performance  is 
the  No.  1  criterion  when  selecting  an  IPS,  but  he  cautions 
against  making  a  decision  based  on  a  vendor’s  figures.  In-  ■ 

stead,  a  company  needs  to  test  in-house  to  see  how  it  per¬ 
forms  against  its  actual  network  traffic. 

“We  see  customers  getting  very  different  results  in  terms 
of  latency,  throughput  and  overall  IPS  function,”  he  says. 

-Drew  Robb 
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For  some  time,  we  have 

been  losing  the  battle  against 
those  who  would  damage  our 
computer  systems.  That’s  be¬ 
cause  computers  are  increas¬ 
ingly  interconnected  and  the 
software  they  run  is  more  complex. 
Both  factors  increase  vulnerability  to 
infection  and  intrusion. 

Security  measures  haven’t  kept  up 
because  they  have  tended  to  focus  on 
prevention  —  antivirus  software  and 
firewalls  are  all  geared  toward  blocking 
damage,  not  repairing  it.  And  they  are 
not  all  that  good  at  detection  because 
they  are  generally  programmed  to  rec¬ 
ognize  known  threats,  not  new  ones. 

“We’ve  been  riding  the  coattails  of 
1970s  ideas,  and  the  weaknesses  are 
obvious  to  everybody,”  says  David  Pat¬ 
terson,  president  of  the  Association  for 
Computing  Machinery.  “Security  prob¬ 
lems  are  glaring.” 

But  experimental  prototypes  and  a 
few  commercial  products  are  begin¬ 
ning  to  overcome  the  limitations  of 
these  1970s  ideas.  Some  of  them  can 
detect  malware  and  intrusions  without 
relying  on  hard-coded  definitions  or 
known  behavior  patterns.  Others  as¬ 
sume  that  bad  things  will  happen  re¬ 
gardless  and  instead  attempt  to  limit 
damage  and  keep  systems  running. 

Detection  and  Prevention 

Sana  Security  Inc.  in  San  Mateo,  Calif., 
sells  intrusion-prevention  software  pat¬ 
terned  after  biological  immune  sys¬ 
tems.  Its  Primary  Response  product 
uses  software  agents  to  build  a  profile 
of  an  application’s  normal  behavior 
based  on  the  code  paths  of  a  running 
program.  It  then  watches  execution  of 
the  program  for  deviations  from  the 
norm.  It  requires  no  predetermined 
signatures  or  policy  rules. 

The  software  stops  anomalous  be¬ 
havior  by  blocking  system  call  execu¬ 
tions.  Because  the  software  continually 
learns,  Sana  says,  it  can  recognize  and 
allow  legitimate  code  changes.  That 
enables  it  to  minimize  false  positives, 
which  can  be  a  major  drawback  of 
these  kinds  of  security  tools. 

Sana’s  technology  has  its  roots  at  the 
University  of  New  Mexico,  where  re¬ 
searchers  have  developed  something 
of  a  specialty  in  “resilient  and  adaptive 
computing.”  For  example,  they  are 
working  on  Randomized  Instruction  Set 
Emulation,  or  RISE,  which  is  based  on 
the  notion  that  diversity  in  code  is  a 
good  thing.  The  same  is  true  in  biology: 
Resistance  to  disease  is  greater  in  wild 
plants,  where  there  is  much  genetic  di¬ 
versity,  than  in  cultivated  ones,  where 
there  is  much  more  homogeneity. 


ersmart 


Fresh  from  the  lab,  these  intelMgenFsecurity 
systems  are  designed  to  recognize  new  threats 
and  limit  damage.  By  Gary  H.  Arrthes 


RISE  makes  each  system  unique  by 
randomly  varying  some  code  so  that 
for  an  attack  to  spread,  it  would  have 
to  be  modified  for  each  computer. 
Some  machine  code  is  “randomized” 
at  the  time  a  process  is  initiated  and 
then  “de-randomized”  when  it  is 
fetched  for  execution.  In  the  mean¬ 
time,  malicious  code  would  find  the 
target  code  unrecognizable. 

But  IT  managers  don’t  have  to  wait 
for  RISE  to  be  commercialized  to  get 
some  benefits  of  diversity,  says  Patter¬ 
son,  who  is  also  a  computer  science 
professor  at  the  University  of  Califor¬ 


nia,  Berkeley.  “More  than  one  computer 
company  makes  computers,  and  more 
than  one  company  makes  operating 
systems,”  he  says.  “Cost  of  ownership 
is  less  when  everything  is  identical,  but 
your  vulnerability  to  attack  is  greater.” 

Recovery  Room 

Computer  security  experts  have  come 
to  recognize  that  no  affordable  combi¬ 
nation  of  protections  can  keep  a  sys¬ 
tem  completely  safe  all  the  time.  So 
they  are  focusing  on  how  to  make  at¬ 
tacks  less  damaging  while  keeping 
systems  running,  albeit  sometimes  at 


reduced  levels  of  performance. 

Patterson  and  others  at  Berkeley  are 
working  on  recovery-oriented  computing 
(ROC),  in  which  systems  do  fast,  almost 
invisible  “microreboots”  of  the  code  ex¬ 
periencing  some  difficulty  —  a  buffer 
overflow,  for  example  —  while  an  appli¬ 
cation  is  running.  The  key  to  ROC  is 
logic  that  watches  running  processes, 
senses  when  something  is  wrong  and 
then  triggers  the  microreboot  before 
the  whole  system  crashes. 

Patterson  says  there  is  a  natural  fit 
between  tools  for  better  detection  and 
prevention,  such  as  Sana’s  Primary 
Response,  and  tools  for  surviving  an 
attack,  such  as  ROC.  “ROC  is  trying  to 
make  recovery  fast  and  inexpensive,”  he 
says.  “If  recovery  is  expensive  and  com¬ 
plicated,  then  your  detection  mecha¬ 
nism  needs  to  be  close  to  perfect.” 

Patterson  says  his  research  team  had 
an  “Aha!”  moment  while  developing 
ROC.  “It  was  that  lowering  the  cost  of 
recovery  makes  it  tolerable  to  have  a 
higher  false-positive  rate.” 

Another  way  to  keep  business  flow¬ 
ing  is  to  simply  slow  an  attack  so  that 
fewer  machines  are  infected  before 
countermeasures  can  be  employed.  As 
part  of  its  work  in  resilient  infrastruc¬ 
tures,  Hewlett-Packard  Co.  has  devel¬ 
oped  virus-throttling  software  that  permits 
connections  from  one  machine  to  an¬ 
other  at  a  slow  rate  —  the  way  users 
work,  say,  at  one  or  fewer  connections 
per  second  —  but  delays  or  blocks  con¬ 
nections  to  machines  when  the  requests 
come  at  a  rate  of  hundreds  per  second, 
as  they  do  with  modern  worms. 

The  Responsive  Input/Output  Throttling 
project  at  the  University  of  New  Mex¬ 
ico  is  combining  different  defense 
mechanisms,  an  approach  that  mimics 
biological  defense  mechanisms.  It  uses 
throttling  to  limit  the  rate  of  connection 
to  other  computers.  But  throttling  is 
made  much  more  flexible  by  coupling 
it  with  agents  that  learn  the  normal  be¬ 
haviors  of  specific  combinations  of 
users,  machines  and  applications.  “You 
turn  it  on  and  it  learns  what  the  rates 
are  for  your  network  behavior,”  says 
Matthew  Williamson,  senior  researcher 
at  Sana  and  previously  a  developer  of 
throttling  technology  at  HP  Labs. 

“Throttling  opened  the  door  to 
thinking  about  rates  of  things  instead 
of,  ‘Is  it  allowed  or  not?’  ”  Williamson 
says.  “People  in  security  tend  to  think  " 
in  a  binary  way.”  But  security,  and  its 
cost,  are  not  either/or  issues,  he  says. 

“Costs  can  be  significantly  reduced 
by  having  systems  that  are  resilient,  and 
they  don’t  have  to  work  perfectly,”  he 
says.  “You  get  quite  a  lot  of  value  out  of 
80%  security.”  ©  52263 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  Identity  management 
software  that  uses  single  sign-on  technology  to  ensure  that 
the  right  access  is  given  to  the  right  people.  Open,  modular 
Tivoli  security  software  that  automates  processes  between 
employees,  partners,  customers  and  suppliers  -  while 
helping  to  reduce  costs.  It's  how  everyone  involved 
gets  the  information  they  need.  On  time.  And  on  demand. 


1.  Buyer  downloads  competitive  pricing. 

2.  Manager  securely  retrieves  invoices. 

3.  Driver  obtains  specific  delivery  details. 

4.  Ex-vendor  denied  access  to  intranet. 

5.  Customer’s  identity  protected  from  theft 


Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/identity  23 DEMAND  BUSINESS 
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WebSphere 

MIDDLEWARE  IS  IBM  SOFTWARE.  Powerful 
WebSphere  software.  For  an  integrated  IT  environment 
that  makes  your  business  more  flexible.  WebSphere 
delivers  a  secure,  scalable  platform.  Enabling  a  service- 
oriented  architecture.  So  your  business  can  respond 
faster.  More  efficiently.  To  partners,  vendors  and  customers. 
With  no  ripping.  No  replacing.  No  headaches.  No  kidding. 

1.  Deductible  viewed  quickly. 

2.  Claim  info  filed  accurately. 

3.  Vendor  receives  complete  data. 

4.  Quotes  researched  easily. 

5.  Great  service  boosts  policy  sales. 

Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/flexible  23  DEWAND  BUSINESS 
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SNAPSHOTS 

Top  Five  Vendors 

The  biggest  vendors  of  IT  security  software 
worldwide,  by  2004  revenue: 


1 

Symantec  Corp. 

□ 

McAfee  Inc. 

3 

Computer  Associates 

International  Inc. 

a 

Check  Point  Software 

Technologies  Ltd. 

5 

Trend  Micro  Inc. 

SOURCE:  IDC.  FRAMINGHAM.  MASS..  DECEMBER  2004 


Security  Software 

Worldwide  new-license  revenue  for 
security  software  of  all  types: 


$50B 


*  Figures  for  2005  and  2006  are  projected 

SOURCE;  GARTNER  INC..  STAMFORD.  CONN., 
FEBRUARY  2005 


Top  Barriers  to 
IT  Security 

Limited  budget 

Limited  staff  dedicated  to  security 

Limited  or  no  time  to  focus 
on  security 

Limited  or  no  security 
training/awareness 

Complex  technology  infrastructure 

•  ■  Limited  support  from  executives 

Base:  8.000  senior  IT  executives  in  62  countries 

SOURCES  PRICEWATERHOUSECOOPERS.  NEW  YORK.  AND 
CIO  MAGAZINE  FRAMINGHAM,  MASS..  SEPTEMBER  2004 


MARK  HALL 

Secure  the 
People 

hen  you  and  your  company’s  chief  security  officer  sit  down  to  plot  the 
budget  for  protecting  the  corporate  WANs  and  LANs,  servers  and  desk¬ 
tops,  laptops  and  other  mobile  devices,  there’s  a  lot  to  discuss.  Should  you 
invest  in  better  firewalls  or  intrusion-prevention  systems?  Additional  anti¬ 
virus  technologies?  Maybe  some  fancy  new  endpoint  security  software? 


Or  maybe,  just  maybe,  you  ought  to  invest  the  lion’s 
share  of  your  IT  security  budget  in  the  single  biggest  and 
most  glaring  security  hole  in  your  entire  organization: 
your  end  users.  If  you  did  that,  you’d  be  protecting  your 
pricey  IT  infrastructure  and  the  priceless  information  it 
contains  better  than  all  the  other  technology  combined. 

The  Ernst  &  Young  Global  Information  Security  Sur¬ 
vey  last  year  revealed  that  end-user  security  training 
was  the  No.  1  problem  inside  large  organizations.  Yet 
less  than  half  of  the  respondents  said  their  companies 
had  a  formal  training  program  to  meet  that  threat. 

How  stupid  is  that? 

Most  companies  feel  that  they’ve  trained 
workers  if  they’ve  sent  them  an  e-mail  with 
a  list  of  do’s  and  don’ts.  Some  include  a 
Five-minute  bit  of  slideware  as  part  of  new- 
employee  orientation.  Neither  approach  is 
worth  much.  You  might  as  well  tell  work¬ 
ers,  “We  just  don’t  care  that  much  about  IT 
security.  Do  whatever  you  want.” 

•  Martin  Bean,  chief  operating  officer  at 
New  Horizons  Computer  Learning  Centers, 
says  companies  “only  pay  lip  service”  to 
end-user  security  training.  And,  he  adds, 
when  he  talks  to  the  boards  of  directors  at 
major  companies  about  securing  their  IT 
infrastructures,  “the  toughest  part  of  the 
conversation  is  about  the  need  to  retrain  every  single 
employee”  to  be  secure  computer  users. 

I  know  that  IT  likes  to  believe  that  all  problems 
created  by  technology  can  be  solved  with  more 
technology.  In  many  cases,  sad  to  say,  it’s  true.  But 
not  this  time.  Technology  is  a  small  part  of  the  securi¬ 
ty  solution.  People  are  the  big  part. 

Before  workers  are  given  computers  and  passwords, 
they  should  be  given  at  least  a  half-day,  if  not  a  full-day, 
tutorial  about  the  ins  and  outs  of  secure  computing  prac¬ 
tices  as  defmed  by  your  IT  department.  Dedicating  pre¬ 
cious  time  and  resources  to  such  a  learning  experience 
tells  new  workers  (and  existing  ones)  that  you  are  very 
serious  about  IT  security  procedures.  It’s  not  lip  service. 

In  those  sessions,  employees  should  learn  about 
everything  from  phishing  to  the  proper  use  of  pass¬ 


words.  What’s  more,  they  ought  to  be  told  about  the 
consequences  of  failing  to  be  security-conscious  cor¬ 
porate  citizens. 

That’s  right:  consequences. 

If  workers  flaunt  security  procedures,  they  should 
be  punished.  Although  a  network  security  administra¬ 
tor  might  think  a  firing  squad  is  a  worthy  punishment, 
it’s  unlikely  that  the  HR  bigwigs  will  go  along  with  the 
idea.  But  they  might  agree  to  some  well-conceived 
consequences  for  a  person’s  documented  failures  to 
keep  your  company’s  IT  assets  safe,  such  as  writing 
passwords  on  Post-it  notes  and  sticking  them  on  moni¬ 
tors.  I  think  the  loss  of  one  day  of  vacation 
for  every  security  violation  after  the  first 
breach  seems  fair.  And  it  will  get  workers’ 
attention.  No  one  likes  to  lose  vacation 
time.  Once  any  employee  has  lost  a  week 
of  vacation  time,  the  next  transgression 
should  mean  job  termination. 

The  standard  whine  from  end  users 
about,  say,  complex  passwords  is,  “It’s  too 
hard  to  remember  the  password.  It’s  got 
numbers  and  characters  in  it.”  Of  course 
it’s  difficult.  That’s  the  point.  And,  yes,  you 
need  to  write  it  down.  But  you  can  put  it  in 
a  safe  place  like  maybe  your  wallet.  You 
put  money  and  credit  cards  inside  a  wallet, 
so  presumably  you  try  to  keep  it  safe.  You  carry  a  wal¬ 
let  in  your  pocket  or  purse.  If  you  think  it’s  too  diffi¬ 
cult  for  you  to  open  your  wallet,  well,  maybe  a  firing 
squad  is  in  order. 

I  also  think  workers  should  be  rewarded  for  keeping 
a  company  secure.  For  example,  if  the  company  goes  a 
full  year  without  getting  infected  by  a  virus,  everyone 
gets  an  extra  vacation  day  in  the  next  calendar  year. 

My  point  here  is  that  there’s  far  too  much  emphasis " 
placed  on  technology  to  solve  a  problem  that’s  often 
controlled  by  individuals.  You  need  to  push  your  com¬ 
pany  from  the  CEO  on  down  to  redirect  resources  to 
train  and  retrain  employees  on  their  critical  responsi¬ 
bility  to  maintain  the  security  of  your  company’s  IT 
operations.  If  they’re  not  involved,  you’re  fighting  a 
losing  battle.  ©  52486 
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WE’VE  SIZED 
UP  THE 

EMAIL 

SECURITY 


PROBLEM . 


THE  CHOICE  IS  YOURS: 
MULTI-LAYER  DEFENSE. 
BEST-OF-BREED  OPTIONS 


IronPort  CIO” 

For  Companies  with  up  to  1000  users 


IronPort  C30” 

For  Medium-Sized  Corporations 


IronPort  C60” 

For  Large  Enterprises  and  ISPs 


The  IronPort  C-Series”  email  security  solutions  combine  market  leading  anti-spam,  anti-virus, 
encryption,  digital  rights  management,  and  archiving  technology  from  Symantec,  Sophos,  Veritas, 
PGP  Corporation,  PostX,  Sigaba,  and  Authentica  —  with  the  revolutionary  IronPort  MTA 
platform  and  preventive  filters.  This  depth-in-defense  solution  is  available  in  three  models,  sized  for 
companies  large  and  small.  Industrial  strength  email  security.  For  all.  www.ironport.com/leader 


IRONPORT 


Rebuilding  the  World’s  Email  Infrastructure. 


®  Copyright  2005  IronPort  Systems,  Inc. 


www.ironport.com/leader 
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MARKETPLACE 


www.computerworld.com 


Just  say  no 
to  inferior  service 

Insist  on  a  CompTIA 
Authorized  Service  Center  <#9 


Have  the  right  people  at  the  right  time  for  the  right  solutions. 
Know  CompTIA  certified  technicians  are  right  there. 

To  find  an  ASC  or  ASC  Gold  near  you, 
or  to  become  one  yourself,  visit  www.asc.comptia.org/cw 


mO  CompTIA, 


A+  Authorized  Service  Center 


|  |  Fgfcj-i 

4  out  of  5  of  Fortune  Magazine's  most  profitable  companies  purchased 
dtSearch  developer  or  multi-user  licenses  in  the  past  two  years. 


dtSeaich 


Instantly  Search 
Gigabytes  of  Text 
Across  a  PC,  Network,  Intranet  or  Internet 

Publish  Large  Document  Collections  to  the  Web  or  to  CD/DVD 

♦  over  two  dozen  indexed,  unindexed,  fielded  &  full-text  search  options 

♦  highlights  hits  in  HTML,  XML,  &  PDF  while  displaying  embedded  Ijnks,  formatting  & 

♦  converts  other  file  types  (word  processor,  database,  spreadsheet,  email,  ZIP,  Unicode,  etc 
to  HTML  for  display  with  highlighted  hits 


images 


dtSearch  Reviews... 

♦  “The  most  powerful  document 

search  tool  on  the  market" 

-  Wired  Magazine 

♦  “Intuitive  and  austere ...  a  superb 

search  tool”  -  PC  World 

♦  “Blindingly  fast” 

-  Computer  Forensics:  Incident 
Response  Essentials 

♦  “A  powerful  arsenal  of  search 

tools”  -  The  New  York  Times 

♦  “Covers  all  data  sources ...  powerful 

Web-based  engines”  -  enter 

♦  “Searches  at  blazing  speeds" 

-  Computer  Reseller  News  Test  Center 


1-800-IT-FINDS 

;sales@dtsearch:com  *» 


See  www.dtsearch.com  for: 

♦  hundreds  of  developer  case  studies  &  reviews 

♦  fully-functional  evaluations 


PUBLIC  AUCTION  SALE 

Sale  For  The  Benefit  Of  Secured  Lender 


1 RCJ 


Madison 

Remarketing 


Authorized  Mainframe  Rebuilder 


328  Route 


Airmont,  NY  10952 


Auction:  Thursday,  April  7,  2005  At  10:00  A.M. 

Inspection:  Wed.,  April  6, 9  A.M.4  P.M.  &  8  A.M.  Day  Of  Sale 

$1,000,000.00+  COMPUTER  & 
COMPUTER  PARTS  INVENTORY 


•  Refurbished  Mainframe 

•  Servo  Drive  Motors 

Computers 

•  Positive  Pressure  Pumps 

•  Tape  Subsystems 

•  Com  Switches 

•  Stg  Arrays 

•  Network  Gear 

•  Hard  Drives 

•  Rack  Mount  Supplies 

•  Cables 

•  Connectors, 

•  SCSI  Drives 

Terminators, 

•  Auto  Loaders 

Hardware,  Electrical 

•  Power  Supplies 

Components  &  More 

TERMS  OF  SALE:  10%  Buyers  Premium. 

25%  Dep.  Cash  Or  Cert.  Checks.  Other  Terms  To  Be  Announced  At  Sale 


VISIT  OUR  WEBSITE,  www.crgauction.com 
FOR  MORE  INFO,  TERMS  &  DIR  OR  CALL  (800)  300-6852 


Workforce  diversity  is  no 
longer  an  ideal  or  even  a 
fact  of  life  — it’s  an 
imperative.  Our  Diversity 
Outreach  initiatives  are 
expressly  designed  to  help 
your  HR  staff,  hiring 
managers,  and  diversity 
officers  recruit  and  retain  a 
diverse  workforce  with  the 
IT  knowledge  and  skills  your 
company  needs.  IT  Careers 
has  made  diversity  a  hot 
topic  as  a  result  of  the 
notable  series  of  diversity 
editorials  scheduled  five 
times  a  year. 


New  in  2005 

Our  new  Diversity  packages  enable  your 
company  to  target  passive  IT  job  seekers  in 
IT  Careers’  network  as  well  as  IT  candidates 
at  the  Shomex  Diversity  &  Technology 
Career  Fairs. 


Contact  us  for  editorial  dates  and 
advertising  opportunities. 


careers 

800-762-2977 


Peoplesoft 
Developer/HR 
(Multiple  Openings) 

POPKIN  Technologies 
Data  modeling/ERWIN 
Rational  Clear  Case 
Peoplesoft  Development 
Prevailing  Salary  offered 
Degree  &  Experience 
Required. 

Job  in  D.C.  area. 

Att:  Keystone  Network  Inc. 
Fax:  610/431  6401 


Software  Eng  W/  MS  in  Comp 
Sci  or  related  field  &  min  2  yrs 
exp  in  high  perf  s/w  design  & 
dvlpmt.  Duties  inch  design  & 
dvlp  arch  for  all  internal  &  exter¬ 
nal  info  technology  systems 
using  object-oriented  technology 
&  various  s/w  dvlpmt/testing 
tools;  develop,  implement  & 
integrating  database  apps  using 
various  db  technologies  &  data 
comm  protocols;  provide  ongo¬ 
ing  admin  &  maint  on  app  sys¬ 
tems  &  technology  environ¬ 
ments.  Fax  resume  to  HR  Dept, 
Financial  Computer  Services 
Inc,  Fairfield  NJ,  at  973-227- 
8795. 


Software  Application 
Engineer 

Visual  Studio. Net 
ASP.net/Coldfusion 
SQL/PLUS/OOP/C++ 
Degree  &  Experience  Req. 
Prevailing  Salary  Offered. 
Job  in  Frederick,  MD. 

ATT:  Inroads 
Fax:  301/473  9751 


Online 

Recruitment 

Opportunities 

IT  Careers'  online 
network  represents  a 
comprehensive  job¬ 
seeking  destination  that 
attracts  highly  qualified 
IT  professionals. 

Corporate  Memberships 
Job  Posting  Packages 
Resume  Database 
Single  Job  Posting 

Integrated  print  & 
online  packages 

Post  your  recruitment 
or  branding  message 
on  ITCareers.com 
today/ 

it  [careers 

800-762-2977 

by, 

•  UmtaoiLc* 


DBSE ADMIN  -Analyze, 
install,  &  upgrade  comp, 
databases.  Req'd:  BS  in 
Comp.  Eng'g  &  5  yrs. 
exp.  Resumes:  Forest 
Laboratories,  500  Corn- 
mack  Road,  Commack, 
NY  11725,  Attn:  C. 
Cantalupo  Ref  #3. 


Software  Engineer  needed 
w/Masters  in  MIS  or  Engg.  or 
Comp.  Sci.  &  1  yr.  exp  to  write 
SQL  code  to  verify  the  results  in 
client/server  Power  Builder 
(front-end)  &  Sybase  environ¬ 
ment.  Analyze  &  design  OMS 
application  using  C++  &  Unix. 
Perform  quality  assurance  test¬ 
ing  supporting  application  devel¬ 
opment  of  OMS  Print  System. 
Mail  resumes  EZ2  Technologies, 
Inc.  Job  Order  #8064582,  6520 
110th  St.,  Suite  205,  Overland 
Park,  KS  66211.  Job  location: 
Overland  Park,  KS  or  unantici¬ 
pated  locations  in  the  U.S. 


COMPUTER  PROGRAM¬ 
MER:  Writes,  tests  & 
maintains  computer  pro¬ 
grams  using  existing  soft¬ 
ware  to  implement  pro¬ 
grams  for  production, 
sales,  inventory  control  & 
accntg.  F/T.  Bachelor's 
degree.  No  exp  reqd.  Mail 
resume  to  K.  Yerganyan, 
Designed  By  Scorpio  Inc, 
3046  Rosslyn  St.,  LA,  CA 
90065. 


PROJECT  MGR  -  Supervise/ 
lead  software  development 
scope,  architect,  data  model¬ 
ing,  deploy,  test,  train  users, 
support  web  applications; 
improve  order  &  document 
mgmt.,  imaging,  production. 
2  yrs  exp  or  4  yrs  as  a  pro¬ 
grammer  analyst.  MS  in 
Business  Admin/Information 
Technology  or  equivalent. 
F/T.  Send  resume:  Attn:  C. 
Mizuno,  Compex  Legal  Ser¬ 
vices,  Inc.,  325  Maple  Ave, 
Torrance,  CA  90503. 


Peoplesoft  Treasury 
Developer 

Treasury/Financials/ 
Development 
Process/Tools/ 
Techniques 
Degree  &  Experience 
Required. 

Prevailing  Salary  Offered 
Job  in  Metro  D  C.  area. 

Att:  TreasurySoft 
Fax:  703/390  5869 


Comp  Support  Specialist  w / 
MS  in  Comp  Sci  or  related 
field  &  min  2  yrs  exp  in  instal, 
config  &  admin  of  networks. 
SQL  servers,  email,  applica¬ 
tions  &  databases.  Requires 
exp  w /  VBScript/Jscript, 
Visual  Basic,  Java,  C++, 
SQL,  Oracle,  .Net,  JAVA, 
J2E,  HTML,  ASP,  &  trou¬ 
bleshooting  software,  hard¬ 
ware  &  operating  systems. 
Email  resume  to  ZT  Group 
Int’l  Inc,  Secaucus  NJ,  at 
hr@ztgroup.com  or  fax  to 
(201)  559-1024. 


Software  Engineer  posi¬ 
tions  available  to  design 
and  develop  custom 
software  applications 
and  packages.  MS  in 
CS  or  related  field 
w/exp.  Send  resume  to: 
HR  Dept.,  Global 
Computing  Services 
Corp.,  72  Park  Ave.  Ste 
6  A,  Hoboken,  NJ 
07030. 


Software 

Professionals 

Leader  in  software  devel¬ 
opment  &  services  for 
the  global  leisure  travel 
industry  seeks  applicants 
for  Snr.  Software  Eng.; 
Applications  Eng  posi¬ 
tions.  Pis  send  resume  to 
Fourth  Dimension  Soft¬ 
ware,  Hum  Res.  (Jobs 
0405LC)  555  Twin  Dol¬ 
phin  Dr.  5th  FI.,  Redwood 
City  CA  94065. 


WEB  PGMR  -  Analyze 
&  correct  errors  in  web 
based  e-comm.  prgms. 
Req'd:  BS  in  Comp. 
Eng'g;  2  yrs.  exp.;  CGI, 
Oracle,  &  VB,  &  prior 
exp.  with  web  prgmg 
for  e-comm.  site.  Res¬ 
umes:  Holabird  Sports, 
LLC,  9220  Pulaski 
Highway,  Baltimore, 
MD  21220  Attn:  D. 
Hirshfeld. 


SOFTWARE  ENGINEER  -  Res¬ 
earch,  design  &  develop  Fax 
Server  applications  software  & 
communications  gateway  sys¬ 
tems.  Interact  w/clients  in 
designing  messaging  systems. 
Use  NET,  CA/isual  C++,  SNMP, 
CT  Media,  Brooktrout/Dialogic 
Fax  Cards  &  SQL/Oracle  data¬ 
base  to  analyze  &  integrate  soft¬ 
ware  w/right  hardware.  Reqs:  2 
yrs  exp  &  Bachelors  in  Comp  Sci 
or  Engnrng.  Resumes  to: 
emFAST  Inc,  Attn-HR.  12 
Macintosh  Rd.,  Branchburg.  NJ 
08876. 
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University  of  Miami  has  opportu¬ 
nities  available  in  our  Informa¬ 
tion  Technology  Department. 

Systems  Analyst 

This  opening  is  for  a  senior  level 
person  skilled  in  the  IBM  OS/ 
390  mainframe  environment 
with  CA/IDMS,  IBM  DB2  and 
SQL  Stored  Procedures.  Can¬ 
didate  will  have  experience  with 
server-side  Java  programs 
based  on  the  J2EE  platform. 
Servlet,  JSP,  JDBC.  EJB,  JNDI, 
RMI,  JCA,  JMS,  Web  Services, 
Struts  and  XML.  Should  have 
knowledge  of  IBM  WebSphere 
Studio  Application  Developer 
(WSAD)  and  Application  Server 
(WAS).  Advanced  knowledge  of 
Object  Oriented  Analysis  and 
Design,  Model  Driven  Architec¬ 
ture,  Service  Oriented  Architec¬ 
ture  and  Model  Driven  Architec¬ 
ture.  Advanced  knowledge  of 
UML  and  appropriate  tool  sets 
such  as  Rational  Rose/XDE. 
Knowledge  of  TIBCO  messag¬ 
ing  products  would  be  desirable. 
The  individual  should  have  a 
minimum  of  9  years  technical 
and  2  years  supervisory  experi¬ 
ence  and  a  4  year  degree  in  a 
computer  related  field.  Human 
resource  and  financial  systems 
or  university  experience  would 
be  considered  a  plus. 

Sr  Systems  Analyst 
This  opening  is  for  a  senior  level 
person  skilled  in  the  IBM  OS/ 
390  mainframe  environment 
with  CA/IDMS,  IBM  DB2  and 
SQL  Stored  Procedures.  Candi¬ 
date  will  have  extensive  experi¬ 
ence  with  server-side  Java  pro¬ 
grams  based  on  the  J2EE  plat¬ 
form,  Servlet,  JSP,  EJB,  JDBC, 
JNDI,  JTA/JTS,  JAXP,  RMI, 
JCA,  JMS,  Web  Services,  Struts 
and  XML.  Should  have  advanc¬ 
ed  knowledge  of  IBM  Web¬ 
Sphere  Studio  Application  De¬ 
veloper  (WSAD)  and  Application 
Server  (WAS).  Advanced  knowl¬ 
edge  of  Object  Oriented  Analys¬ 
is  and  Design,  Model  Driven 
Architecture,  Service  Oriented 
Architecture  and  Model  Driven 
Architecture.  Advanced  knowl¬ 
edge  of  UML  and  appropriate 
tool  sets  such  as  Rational  Rose/ 
XDE.  Knowledge  of  TIBCO  mes¬ 
saging  products  would  be  desir¬ 
able.  The  individual  should  have 
a  minimum  of  9  years  technical 
and  5  years  supervisory  experi¬ 
ence  and  a  4  year  degree  in  a 
computer  related  field.  Human 
resource  and  financial  systems 
or  university  experience  would 
be  considered  a  plus. 

Interested  candidates  please 
apply  online  at: 
www.miami.edu/careers 
and  submit  your  resume,  in¬ 
cluding  salary  history.  EO/AAE. 


Manager  Computer  Info  Sys. 

The  IS  Manager  provides  day- 
to-day  support,  direction  and 
guidance  to  enable  team  mem¬ 
bers  to  perform  their  responsibil¬ 
ities  Plan  and  lead  the  applica¬ 
tion  life-cycle  process  through 
design,  implementation  and  test¬ 
ing  of  new  systems  that  will  con¬ 
tribute  to  organizational  suc¬ 
cess.  Responsible  for  develop¬ 
ing/implementing  a  tactical 
and/or  operational  plan,  main¬ 
taining  systems  reliability,  secu¬ 
rity  and  data  integrity  of  critical 
production  systems.  Manages 
multiple  information  systems 
and/or  projects  of  major  busi¬ 
ness  unit  significance.  Send 
resume  to:  J  Phone  Commun¬ 
ications,  Inc.  17700  Castleton 
Street,  Suite  400,  City  of 
Industry,  CA  91748.  Fax  (626) 
839-6180 


Software  Engineers  for  Buffalo 
Grove,  IL  office.  Design,  De¬ 
velop,  Test,  Implement,  Main¬ 
tain  &  Coordinate  Installation 
of  software  applications  using 
C,VB,  Delphi,  ASP,  XML, 
UML,  Coolgen,  Interwoven, 
Oracle.  PL/SQL,  Developer 
2000  &  Designer  2000; 

Masters  req'd  in  Computers, 
Eng.  +  1  yr  of  related  exp.  40 
hrs/Wk.  Must  have  legal 
authority  to  work  permanently 
in  the  U  S.  Send  resume  to 
HR,  Option  Care,  Inc.,  485 
Half  Day  Road,  Ste.  300, 
Buffalo  Grove,  IL  60089. 


Programmer  Analysts  (P/A)  & 
Software  Engineers  (S/E)  for 
Bedford,  TX  and  Chicago,  IL. 
P/A:  Design  &  Develop  software 
using  Oracle,  Sybase,  XML, 
Coolgen,  Interwoven,  Clear- 
Case,  ClearQuest,  Plumtree, 
ITS,  PVCS,  Unix.  Bachelors  or 
Eqv.  req'd  in  Computers,  Eng, 
Math  or  related  field  of  study  +2 
yrs  of  related  exp.  S/E:  Design, 
develop  &  test  software  using 
Java,  C,  C++,  VB,  Winrunner, 
Tuxedo,  Eclipse,  Corba,  RMI, 
RUP.  Masters  or  Eqv."  req'd  in 
Computers,  Eng.,  Math  or  relat¬ 
ed  field  of  study  +  1  yr  of  related 
exp.  ("Eqv.:  Bachelors  or  Eqv.  + 
5  yrs  of  progressive  related  work 
exp).  May  be  relocated  to  vari¬ 
ous  unanticipated  locations 
throughout  the  US.  40  hrs/Wk. 
Must  have  legal  authority  to 
work  permanently  in  the  U  S. 
Send  resume  to  HR,  Regency 
Technologies,  Inc.,  1400  Brown 
Trail,  Bedford.  TX  76022. 


Quality  Assurance  Engineers  for 
Greenbelt,  MD  office:  Create 
test  plans  &  test  cases;  Develop 
automated  tests  using  Win- 
Runner,  Test  Director,  LoadRun- 
ner;  Execute,  Maintain  and 
Manage  test  efforts;  Must  have 
working  knowledge  of  SDLC 
Testing  Methodologies.  Masters 
or  Equivalent**  req'd  in  Comput¬ 
ers,  Engineering,  math  or  relat¬ 
ed  field  of  study  +  1  yr  of  related 
exp.  ("Equivalent:  Bachelors  or 
Equivalent  +  5  years  of  progres¬ 
sive  related  work  experience). 
May  be  relocated  to  various 
unanticipated  locations  through¬ 
out  the  United  States.  40 
hrsA/Vk.  Must  have  legal  author¬ 
ity  to  work  permanently  in  the 
U.S.  Send  resume  to  iobs@issi- 
software.com  or  HR  Manager, 
International  Software  Systems, 
Inc.,  7337  Hanover  Office  Pkwy, 
Ste.A,  Greenbelt,  MD  20770. 
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DATA  SECURITY  BILLS 


Continued  from  page  1 

Data  Thefts 

islation,  which  he  has  yet  to 
file  as  a  bill,  is  similar  to  a  pro¬ 
posed  Corporate  Information 
Security  Accountability  Act 
that  was  outlined  two  years 
ago  by  Rep.  Adam  Putnam 
(R-Fla.)  but  never  formally 
introduced. 

“It’s  really  scary  stuff,”  the 
financial  services  security  an¬ 
alyst  said.  “Corzine’s  bill  is 
certainly  one  of  the  most  radi¬ 
cal  ones  that  have  been  pro¬ 
posed  recently,  and  it  has 
drawn  a  lot  of  concern.” 

There  clearly  are  “under¬ 
tones  of  the  Sarbanes-Oxley 
model”  in  the  proposal,  said 
Erin  Kenneally,  a  forensic  IT 
analyst  at  the  San  Diego  Su¬ 
percomputer  Center’s  Pacific 
Institute  for  Computer  Securi¬ 
ty  in  La  Jolla,  Calif. 

Lawmakers  Step  Up 

Several  other  measures  are  al¬ 
ready  in  front  of  Congress,  in¬ 
cluding  one  that  would  set  a 
national  law  requiring  busi¬ 
nesses  and  government  agen¬ 
cies  to  notify  affected  individ¬ 
uals  if  databases  are  breached 
and  their  personal  information 
is  compromised  (see  chart). 

Most  of  the  legislative  pro¬ 
posals  have  either  emerged  or 
been  reinvigorated  following  a 
string  of  recent  data-security 
snafus  at  companies  such  as 
ChoicePoint  Inc.,  Bank  of 
America  Corp.  and  Reed  Else¬ 
vier  Inc.’s  LexisNexis  unit. 

Like  the  other  measures, 
Corzine’s  promised  bill  is  a 
long  way  from  becoming  a 
law,  and  lawyers  and  analysts 
who  focus  on  IT  security 
stressed  that  there  is  no  telling 
whether  it  can  garner  the 
needed  support  in  Congress. 

But  the  proposal  reflects 
what  appears  to  be  a  growing 
conviction  among  lawmakers 
that  strong  federal  data  priva¬ 
cy  and  information  security 
guidelines  are  needed  in  the 
wake  of  the  recent  breaches, 
said  Christopher  Pierson,  a 


lawyer  at  Lewis  and  Roca  LLP 
in  Phoenix. 

Stephen  Wu,  president  of 
InfoSec  Law  Group  PC  in 
Mountain  View,  Calif.,  noted 
that  bills  such  as  Corzine’s 
“often  don’t  seem  to  get  very 
far,  except  when  things  get  so 
outrageous  that  action  is 
forced  on  Congress.” 

For  example,  the  financial 
reporting  mandates  built  into 
the  Sarbanes-Oxley  Act  fol¬ 
lowed  a  string  of  corporate  ac¬ 
counting  scandals,  Wu  said. 
He  added  that  with  the  recent 
data  lapses  “all  coming  seem¬ 
ingly  on  the  heels  of  one  an¬ 
other,  we  are  beginning  to  see 
the  same  sort  of  sentiment” 
about  the  need  for  more  secu¬ 
rity  requirements. 

Unlike  regulations  for  spe¬ 
cific  industries,  such  as  those 
based  on  the  Health  Insurance 
Portability  and  Accountability 
Act  and  the  Gramm-Leach- 
Bliley  Act  for  financial  ser- 


Boston  College, 

Cal  State  say  no 
personal  data  lost 

BY  LINDA  ROSENCRANCE 
AND  JAIKUMAR  VIJAYAN 

A  computer  used  for  fundrais¬ 
ing  activities  at  Boston  Col¬ 
lege  was  hacked  into  this 
month,  initially  raising  con¬ 
cerns  that  the  Social  Security 
numbers  and  other  personal 
information  of  some  120,000 
alumni  might  have  been  com¬ 
promised. 

Although  BC  alerted  the  af¬ 
fected  alumni  to  the  breach, 
the  college  is  now  sure  that  no 
personal  data  was  stolen,  said 
spokesman  Jack  Dunn. 

The  break-in  was  the  second 
such  incident  reported  last 
week  by  a  university.  Officials 
at  California  State  University, 
Chico,  disclosed  that  hackers 


vices,  any  new  privacy  laws 
may  be  much  broader  in 
scope,  said  Nahra,  who  is  a 
lawyer  at  Wiley  Rein  &  Field¬ 
ing  LLP  in  Washington. 

Companies  need  to  be  pre¬ 
pared,  said  Michael  Rasmus¬ 
sen,  an  analyst  at  Forrester 
Research  Inc.  “It  really  is  all 
about  starting  to  document 
your  security  practices  and 
overall  compliance”  with  ex¬ 
isting  requirements,  Ras¬ 
mussen  said. 

Companies  need  to  classify 
their  data  and  get  a  full  under¬ 
standing  of  both  the  process 
and  technology  measures  that 
are  in  place  for  securing  pro¬ 
tected  information,  Ras¬ 
mussen  added.  They  also  need 
to  set  policies  for  responding 
to  and  disclosing  security 
breaches  and  focus  on  issues 
such  as  vulnerability  manage¬ 
ment,  employee  training,  com¬ 
munication  and  security 
awareness,  he  said.  ©  53256 


had  broken  into  a  housing  and 
food  service  system  containing 
information  about  59,000  cur¬ 
rent,  former  and  prospective 
students,  faculty  and  staff,  in¬ 
cluding  their  names  and  Social 
Security  numbers. 

A  statement  on  the  school’s 
Web  site  said  the  intruders  ap¬ 
parently  installed  rootkit  soft¬ 
ware  on  the  system  for  storing 
music,  movie  and  game  files. 
They  also  attempted  to  break 
into  other  university  comput¬ 
ers,  the  school  said. 

At  BC,  Dunn  said  the  hacker 
planted  a  program  that  could 
be  used  to  launch  attacks 
against  other  computers. 

The  school’s  IT  department 
discovered  the  security  breach 
on  a  computer  that  was  man¬ 
aged  by  a  third-party  vendor 
and  located  in  BC’s  fundrais¬ 
ing  calling  center,  according  to 
Dunn.  He  said  that  during  rou- 


Consumer  Privacy 
Protection  Act 

[H.R.  1263] 

■  Introduced  by  Rep.  Cliff 
Stearns  (R-Fla.)  on  March  10. 

Requires  data  collectors  to  notify 
consumers  that  their  personal 
information  is  being  shared  with 
other  companies  and  to  give  them 
a  chance  to  limit  the  amount  of 
data  being  disclosed. 

■  Status:  Referred  to  the  House 
Committee  on  Energy  and  Com¬ 
merce. 

Information 
Protection  and 
Security  Act 

[S.500  and  H.R.  1080] 

■  Introduced  in  both  the  Sen¬ 
ate  and  House  on  March  10  by 
Sen.  Bill  Nelson  (D-Fla.)  and 
Rep.  Edward  Markey  CD- 
Mass.).  Would  give  the  Federal 


tine  monitoring  of  the  univer¬ 
sity’s  computers,  IT  staffers 
noticed  “a  spike  in  activity  on 
this  particular  computer.” 

The  workers  immediately 
took  the  machine  off-line,  se¬ 
cured  it  and  launched  a  com¬ 
puter-forensics  investigation, 
Dunn  said.  The  investigation 
concluded  that  the  computer 
wasn’t  targeted  to  access  per¬ 
sonal  information  but  to  allow 
the  hacker  to  launch  remote 
attacks,  he  added. 

The  IT  team  determined 
that  the  personal  data  stored 
on  the  system  wasn’t  accessed, 
Dunn  noted.  Nevertheless,  he 
said,  “we  decided  to  send  out 
the  precautionary  advisories 
to  all  of  our  alumni  on  the 
computer,  and  we  offered 
guidelines  they  should  consid¬ 
er  to  ensure  their  privacy.” 

BC  is  now  purging  all  Social 
Security  numbers  from  the  af¬ 
fected  computer  and  will  no 
longer  use  them  as  alumni 
identifiers,  Dunn  said.  He  said 
the  school  will  institute  a  new 
identification  system. 

Dunn  said  BC  has  contacted 


Trade  Commission  the  power  to 
develop  regulations  on  the  sale  of 
personal  information. 

■  Status:  S.500  has  been  re¬ 
ferred  to  the  Senate  Committee  on 
Commerce,  Science  and  Trans¬ 
portation.  H.R.  1080  was  referred 
to  the  House  Subcommittee  on 
Commerce,  Trade  and  Consumer 
Protection. 

Notification  of 
Risk  to  Personal 
Data  Act  [s.  1350] 

■  Originally  introduced  by 
Sen.  Dianne  Feinstein  (D- 
Calif.)  in  June  2003.  Would  re¬ 
quire  businesses  to  notify  affected 
individuals  when  their  personal 
data  is  compromised. 

■  Status:  Resides  with  the 
Senate  Subcommittee  on  Terror¬ 
ism,  Technology  and  Homeland 
Security.  Hearings  on  the  bill  have 
been  held. 


local  law  enforcement  agen¬ 
cies  but  had  not  yet  contacted 
state  or  federal  authorities. 

Officials  at  California  State 
University  are  now  notifying 
each  person  whose  name  and 
Social  Security  number  was 
on  the  system,  in  accordance 
with  state  law.  There  is  no  in¬ 
dication  that  the  hackers  were 
targeting  confidential  infor¬ 
mation,  school  officials  said. 

The  compromised  system 
has  been  “rebuilt  and  secured” 
and  has  been  put  back  onto 
the  university’s  network,  they 
added.  It  is  now  being  re¬ 
viewed  by  an  outside  securi¬ 
ty  firm. 

News  of  the  breach  comes 
just  as  the  university  has  put 
in  place  plans  to  use  a  ran¬ 
domly  assigned  nine-digit  ID 
number  for  students  and  em¬ 
ployees  instead  of  Social  Secu¬ 
rity  numbers.  ©  53253 
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Secure  EHR 
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NO  ONE  DISAGREES  on  the  benefits  of  an  elec¬ 
tronic  health  record,  just  who  should  pay  for  the 
process  of  conversion,”  wrote  one  M.D.  who 
read  my  column  on  EHR  two  weeks  ago.  “Most 
hospitals  don’t  have  the  funds  to  support  a  mas¬ 
sive  conversion  to  all-EHR.  So  it’s  easy  to  have  Mr.  Hayes  suggest  a 
mandate.  I’d  just  like  to  know,  who  will  fund  it?” 

Hold  that  thought.  Here’s  another  reader:  “There  is  another  issue 
that  I  think  holds  things  back,  and  that  is  worries  about  privacy.  Any¬ 
thing  on  paper  is,  by  definition,  more  private  than  anything  in  digital 
form,  especially  when  most  doctors  use  Microsoft  products.” 

Now  let’s  talk  about  Kaiser  Permanente  [QuickLink  53209]. 


Somehow,  live  data  on  140  patients  of  the  big 
HMO  was  posted  to  an  internal  development 
Web  site,  which  became  visible  on  the  Internet. 

An  ex-employee  says  she  was  doing  a  Web 
search  and  found  the  patient  data  through  a 
Google  result.  She  filed  a  federal  complaint  that 
Kaiser  had  violated  the  Health  Insurance  Porta¬ 
bility  and  Accountability  Act  and  linked  to  the 
data  in  her  weblog. 

Now  Kaiser  is  contacting  the  affected  pa¬ 
tients  and  seeking  a  restraining  order  against 
the  ex-employee.  The  U.S.  Office  of  Civil 
Rights,  which  enforces  HIPAA,  is  looking  into 
the  mess.  And  suddenly,  mandating  electronic 
patient  information  doesn’t  sound  like  it’s  such 
a  great  idea,  does  it? 

Maybe  not.  Or,  just  maybe,  the  right  mandate 
might  be  a  better  idea  than  ever. 

Let’s  be  realistic:  Electronic  information  can 
leak.  It  happened  in  recent  months  to  Lexis- 
Nexis  (data  stolen  on  32,000  people)  and 
ChoicePoint  (info  on  145,000  people  fraudulent¬ 
ly  purchased).  Bank  of  America  shipped  backup 
tapes  containing  the  credit  card 
records  of  1.2  million  federal  em¬ 
ployees,  including  60  U.S.  senators, 
on  commercial  airlines  in  Decem¬ 
ber  —  and  they  went  missing,  too. 

Kaiser,  which  historically  has 
been  close  to  fanatical  about  patient 
privacy  for  its  8  million-plus  mem¬ 
bers,  hasn’t  been  immune.  In  2000, 
an  IT  staffer  used  a  one-time  script 
to  clear  an  e-mail  backlog.  Result: 

Confidential  information  on  858  pa¬ 
tients  was  sent  to  17  other  patients 
who  weren’t  supposed  to  get  that 
information. 


Yes,  electronic  information  can  leak  more 
easily  than  information  on  paper.  And  that’s 
most  likely  to  happen  with  one-off  scripts 
or  unauthorized  demonstrations  or  lashed- 
together  data  pipes.  When  security  and  privacy 
are  designed  into  a  system  and  procedures  are 
rigorously  followed  —  and  enforced  by  the  sys¬ 
tem  —  leakage  is  a  lot  less  likely. 

How  do  you  maximize  security  and  privacy 
for,  say,  electronic  health  records?  You  design  it 
in  from  the  start  in  a  standard  way.  You  man¬ 
date  encryption  (and  what  kind),  you  specify 
authentication  (and  how  it  works),  you  nail 
down  access  control  (and  all  the  details).  In 
short,  you  force  an  EHR  standard. 

That  will  take  a  mandate,  whether  from 
Medicare  or  HIPAA  or  some  other  800-pound 
gorilla  that  can  force  the  health  care  industry  to 
comply.  Without  it,  there  will  be  no  privacy- 
oriented  EHR  standard,  and  we’ll  end  up  with 
a  thousand  kinds  of  EHR,  all  lashed  together 
with  leaky  pipes.  Doing  it  right  will  require  a 
lot  less  variety  —  and  a  lot  more  money. 

And  yes,  to  answer  the  doctor 
whose  question  kicked  off  this  col¬ 
umn,  we  already  know  who  will 
pay  for  it.  We  all  will,  whether  as 
patients  or  insurance  buyers  or  tax¬ 
payers.  Exactly  how  is  up  in  the  air. 
Incentives?  Taxes?  Higher  medical 
bills?  Free  software?  We  don’t 
know.  But  we  know  this:  In  the  end, 
the  money  always  comes  from  cus¬ 
tomers  —  from  us. 

And  as  long  as  we’re  paying  for 
EHR,  let’s  make  sure  we  get  a  sys¬ 
tem  with  security  and  privacy  built 
in  from  the  ground  up.  ©  53215 


frank  hayes.  Computer- 
worlds  senior  IT  columnist, 
has  covered  IT  for  more  than 
20  years.  Contact  him  at 

frank.hayes@computerworld.com. 


Enough  With  Winter  Already! 

Environmental  sensor  goes  off  on  Monday  at  8:25 
a.m.:  water  in  the  computer  room.  But  when  help 
arrives,  no  water  is  to  be  seen.  Wednesday  it  happens 
again;  still  no  water.  Maybe  it’s  a  bad  sensor?  Nope. 

“It  snowed  both  days,"  pilot  fish  explains.  “A  tech 
had  snow  on  his  shoes,  and  it  spread  out  just  enough 
to  set  off  the  sensor.  By  the  time  we  got  there,  the 
water  was  either  gone  or  so  small  an  amount  that  you 
couldn't  see  it.  We  taught  him  to  stomp  his  feet  on 
the  way  in,  and  the  problem  was  solved.” 


SHARK 

TANK* 


Read? 

Pilot  fish  clears 
up  a  problem 
with  this  user’s 
out-of-office 
message  and  explains  to 
her  that  by  sending  a 
test  message  to  herself, 
she  set  up  an  infinite 
loop.  I’ll  add  a  note 
about  that  to  the  instruc¬ 
tions  for  out-of-office 
messages,  he  tells  her. 
User’s  response:  “I’m 
not  sure  what  ‘instruc¬ 
tions’  you  are  referring 
to.  Since  many  employ¬ 
ees  don’t  consult  in¬ 
structions  if  they  believe 
they  know  how  to  per¬ 
form  a  task,  I  urge  you  to 
send  an  Allusers  mes¬ 
sage  regarding  this 
problem.  Thank  you.” 

Even/body’s 
An  Expert 

Troubleshooting  this 
user’s  PC,  pilot  fish  de¬ 
cides  it’s  time  to  restart 
the  machine.  “Unfortu¬ 
nately,  I  asked  him  to 
reboot,”  fish  says.  “He 
quickly  hit  the  reset 
switch,  pleased  at  his 
prompt  response.  This 
crashed  the  several  oth¬ 
er  applications  still  run¬ 
ning  in  the  background. 
When  I  asked  him  why 
he  didn’t  just  click  Start 
and  choose  Restart,  he 
sighed,  ‘You  said  reboot! 
That  means  power  it  off. 
You  should  have  said 


‘restart’ - 
they’re  totally 
different!’ " 


Urn...  No 

Sysadmin  pilot  fish 
resets  user’s  password 
and  e-mails  the  user  “I 
have  reset  your  pass¬ 
word.  New  password: 
mondayl.”  User  replies 
promptly:  “Thanks,  but 
I’m  not  sure  what  you 
mean  by  your  comment 
about  Monday  1.  Does 
that  mean  that  my  pass¬ 
word  can  only  be  used 
on  Monday,  or  that  it  will 
be  reset  on  the  first 
Monday  of  the  month?” 

Thanks  a  Lot 

This  bank’s  tellers  have 
the  latest  in  1970s  tech¬ 
nology  -  but  it’s  still  in 
use  in  2005,  says  a  pilot 
fish  there.  One  nice  fea¬ 
ture  is  the  ability  to  store 
the  teller  transactions 
when  the  central  main¬ 
frame  isn’t  available, 
then  forward  them  when 
the  mainframe  recon¬ 
nects.  “During  a  plan¬ 
ning  session  to  design 
state-of-the-art  replace¬ 
ments  for  this  ancient 
hardware,  the  lead  de¬ 
signer  suggested  that 
the  store-and-forward 
file  be  kept  on  the  main¬ 
frame,”  fish  sighs, 

“since  that  was  more 
secure  and  had  a  larger 
storage  capacity.” 


©SECURE  A  SHARK  SHIRT.  Send  me  your  tme  tale  of 
IT  life  at  sharky@computerworM.com.  If  I  use  it, 
you’ll  score  IT s  favorite  status  symbol.  And  check  out  the 
daily  feed,  browse  the  Sharkives  and  sign  up  for  Shark  Tank 
home  delivery  at  computerworld.com/sharky. 


Security  and  wireless.  Together  at  last.  HP's  wireless'  notebooks,  powered  by  Intel®'  Centrino™  Mobile  Technology,  have  security  features  built  in,  not  bolted 
on.  In  fact,  all  of  our  new  wireless'  notebooks,  tablets  and  handhelds  have  distinct  security  advantages  that  set  us  apart.  HP  ProtectTools  provides  an  array  of 
the  latest  security  tools  designed  to  make  your  HP  notebook,  tablet  and  handhelds  virtually  impervious  to  intruders,  whether  you're  working  with  wires  or 
without.  More  expertise,  technology,  service,  support  and  security.  That's  what  HP  Smart  Office  solutions  give  you. 


HP  recommends  Microsoft®  Windows®  XP  Professional. 


HP  COMPAQ  nc6120 
NOTEBOOK 


$1,249 

($l,599-$350  Instant  Savings=$l<249)4 

•  Intel®  Centrino™  Mobile  Technology 

•  Intel®  Pentium®  M  Processor 
730  (1.60GHz)3 

•  Intel®  PRO  Wireless  2200BG 
(802.1  lb/g)1 

•  Microsoft®  Windows®  XP  Professional 

•  15"  XGA  Display 

•  24X  DVD/CD-RW  Combo  Drive6 

•  512MB  DDR  SDRAM  (1  DIMM) 

•  40GB  (5400  rpm)  Hard  Drive5 

•  ProtectTools:  Security  Manager, 
Credential  Manager,  BIOS  Configuration 


HP  COMPAQ  tell 00 
TABLET  PC 


$1,599 

($2,049-$450  Instant  Savings=$l,599)' 

•  Intel®  Centrino™  Mobile  Technology 

•  Intel®  Pentium®  M  Processor  ULV 
713  (1.10GHz)3 

•  Intel®  PRO  Wireless  2200BG 
(802.1  lb/g)’ 

•  Microsoft®  Windows®  XP  Tablet 
PC  Edition 

•  256MB  DDR  SDRAM 

•  40GB  (4200  rpm)  Hard  Drive5 

•  1-year  limited  warranty2 

•  ProtectTools:  Security  Manager,  Optional 
Smart  Card  Security,  Credential  Manager 


Enhance  your  system. 


HP  IPAQ™  hx2750 
POCKET  PC 

-  Intel®  PXA270  Processor 
(624MHz)3 

-  Windows®  Mobile  2003  for 
Pocket  PC,  Second  Edition 

-  128MB  SDRAM,  128MB 
Flash  ROM 

-  ProtectTools:  Biometrics, 

Data  Encryption 

*549 


MORE  ADVICE  MORE  TECHNOLOGY  MORE  SUPPORT 


Secure  your  HP  notebook  investment.  Get  Accidental 

Damage  Protection  for  as  little  as  $99/year  or  $169/3  years. 

CLICK 

www.hp.com/go/mobility6 

CALL 

1-866-625-4734 

VISIT 

your  local  reseller 

^  MOBILE 
TECHNOLOGY 


Prices  shown  are  HP  Direct  prices;  reseller  and  retail  prices  may  vary.  Prices  shown  are  subject  to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping  to  recipient's  address.  Otters  cannot  be  combined  with  any  other  otter  or  discount,  are  good  while  supplies  last  and  are  available  Irom 
HP  Direct  and  participating  HP  resellers.  All  featured  otters  available  in  U.S.  only.  1 .  A  standard  WLAN  infrastructure,  other  Bluetooth-enabled  devices  and  a  service  contract  with  a  wireless  airtime  provider  may  be  required  for  applicable  wireless  communication  .  Wireless  Internet  use  requires  a  separately 
purchased  service  contract.  Check  with  service  provider  tor  availability  and  coverage  in  your  area.  Not  all  Web  content  available.  2.  One-year  limited  warranty  for  parts,  labor  and  next-business-day  support.  3  Intel's  numbering  is  not  a  measurement  o!  higher  performance  4  Instant  savings  otter  available 
on  qualifying  HP  Compaq  nc6120  Notebooks  and  HP  Compaq  tel  100  Tablet  PCs  through  5/31/05. 5.  For  hard  drives,  GB=billion  bytes.  6. 24X  DVD/CR-RW  Combo  Drive  data  transfer  rates  may  vary  as  follows:  for  recording  to  CO-R  media,  tor  writing  to  CD-RW  media,  for  reading  CD  media,  the  max 
transfer  rate  may  be  up  to  3600  Kbps;  for  reading  DVD  media,  the  max  transfer  rate  may  be  up  to  1 0,800  Kbps.  Actual  transfer  rates  may  vary  depending  on  media  quality.  Intel,  Intel  Logo.  Intel  Inside.  Intel  Inside  Logo,  Intel  Centrino.  Intel  Centrino  Logo.  Celeron,  Intel  Xeon.  Intel  SpeedStep.  Itanium  and 
Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries  ©2005  Hewlett-Packard  Development  Company,  L  P 
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Oracle  Grid 


^  No  wasted  capacity 
^  No  wasted  money 
^  No  single  point  of  failure 


Oracle  Grid 
It's  fast...  it's  cheap... 
and  it  never  breaks 


oracle.com/grid 
or  call  1.800.633.0753 


Note:  'Never  breaks'  indicates  that  when  a  server  goes  down,  your  system  keeps  on  running. 


Copyright  ©  2005,  Oracle.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates. 


